Use a numeric User ID for the "agones" user in the SDK sidecar #1293
Conversation
|
Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please visit https://cla.developers.google.com/ to sign. Once you've signed (or fixed any issues), please reply here with What to do if you already signed the CLAIndividual signers
Corporate signers
ℹ️ Googlers: Go here for more info. |
|
Build Succeeded 👏 Build Id: 943ae711-0d65-4257-afa0-239772db8c27 The following development artifacts have been built, and will exist for the next 30 days:
A preview of the website (the last 30 builds are retained): To install this version:
|
|
Note: Following up with my employer regarding CLA, which we have signed, but I am apparently not added to the authorised contributors list. |
|
@TBBle this is awesome! Thanks for taking this on 👍 Are you going to the same for the all the Agones components (and maybe the examples?), either in this PR or others? Just wondering if I should hold off on reviewing/merging this, in case you were going to expand it further. |
|
I'll do the same thing for the other services, since my colleague has already tested that the same change applies to them and functions correctly. I'll have a look at the examples, and do them if I'm confident. I'm currently waiting for the CLA to be sorted out at my end, so I'm hopeful for 'tomorrow' but not confident. |
TBBle
force-pushed
the
sidecar_with_numeric_uid
branch
from
b956bf4
to
7fbaf13
Compare
|
Build Succeeded 👏 Build Id: 110c6691-0efb-4c52-bba7-ac3edde7522b The following development artifacts have been built, and will exist for the next 30 days:
A preview of the website (the last 30 builds are retained): To install this version:
|
TBBle
force-pushed
the
sidecar_with_numeric_uid
branch
2 times, most recently
from
5e38ae6
to
bc99720
Compare
|
I've now updated the other Agones components (tested locally) and the examples (not tested locally). So this is all ready to go except the CLA, which is pending an action on our end. |
|
Build Succeeded 👏 Build Id: a5086c5d-8a1f-4629-b0b1-47c75df98d70 The following development artifacts have been built, and will exist for the next 30 days:
A preview of the website (the last 30 builds are retained): To install this version:
|
|
Build Succeeded 👏 Build Id: e395a3a2-f6cf-4506-9a7e-46c1bdd229c6 The following development artifacts have been built, and will exist for the next 30 days:
A preview of the website (the last 30 builds are retained): To install this version:
|
roberthbailey
requested review from
markmandel
and removed request for
roberthbailey and
dzlier-gcp
|
Everything looks great - I want to run a quick check on the changes to the examples, but once I've done that, happy to approve! |
|
Quick thought on this - if you want to have the example images be updated, please go through each example's Makefile and increment the version number 👍 If we're happy leaving the example images alone, then we can continue as is. (Probably better to increment though) |
|
Smoke tested the change in the simple-udp example -- looks good! |
markmandel
added
area/operations
TBBle
force-pushed
the
sidecar_with_numeric_uid
branch
from
bc99720
to
d357f61
Compare
|
Build Succeeded 👏 Build Id: 81b7e1cb-5c9b-4856-a168-68e161ed90a4 The following development artifacts have been built, and will exist for the next 30 days:
A preview of the website (the last 30 builds are retained): To install this version:
|
TBBle
force-pushed
the
sidecar_with_numeric_uid
branch
from
d357f61
to
c2f13ae
Compare
|
I updated the versions in all the Makefiles. I also noticed I'd missed the unity-simple example, as it was running as root, and I'd been looking for |
|
Build Succeeded 👏 Build Id: d99ece12-361a-4981-ba87-d4b776de2d8d The following development artifacts have been built, and will exist for the next 30 days:
A preview of the website (the last 30 builds are retained): To install this version:
|
|
Sounds good to me! I can take care of updating the images, and pushing them up. 👍 they are probably due for a review to make sure they all still work. |
|
@googlebot I signed it! |
|
Just having a look @TBBle - seems like your account is still not added as a contributor 😞 it might take some time though to propagate, I'll take another look tomorrow. |
TBBle
force-pushed
the
sidecar_with_numeric_uid
branch
from
c2f13ae
to
1c2a58f
Compare
|
It's a corporate CLA, apparently we're waiting to hear back from someone at Google. I'll keep chasing at my end. |
|
Build Failed 😱 Build Id: b54156e1-b2ae-40c4-b610-83331e892dee To get permission to view the Cloud Build view, join the agones-discuss Google Group. |
|
Build Succeeded 👏 Build Id: 4a7d10c2-c830-4471-aba8-5c4000a257d7 The following development artifacts have been built, and will exist for the next 30 days:
A preview of the website (the last 30 builds are retained): To install this version:
|
|
@googlebot I signed it! This time I can see it on https://cla.developers.google.com/clas |
|
CLAs look good, thanks! ℹ️ Googlers: Go here for more info. |
This fixes failure of the container to start when run on a system with a PodSecurityPolicy specifying RunAsUser as "MustRunAsNonRoot". Signed-off-by: Paul "Hampy" Hampson <p_hampson@wargaming.net>
Creating a non-system user named 'agones' also creates a group named 'agones'. For consistency, the files should be owned by that group. Signed-off-by: Paul "Hampy" Hampson <p_hampson@wargaming.net>
This fixes failure of the container to start when run on a system with a PodSecurityPolicy specifying RunAsUser as "MustRunAsNonRoot". Signed-off-by: Paul "Hampy" Hampson <p_hampson@wargaming.net>
This fixes failure of the container to start when run on a system with a PodSecurityPolicy specifying RunAsUser as "MustRunAsNonRoot". Signed-off-by: Paul "Hampy" Hampson <p_hampson@wargaming.net>
TBBle
force-pushed
the
sidecar_with_numeric_uid
branch
from
1c2a58f
to
d875db5
Compare
|
Build Succeeded 👏 Build Id: 32b059fd-aceb-489a-9a80-9bbf81e65d0b The following development artifacts have been built, and will exist for the next 30 days:
A preview of the website (the last 30 builds are retained): To install this version:
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: markmandel, TBBle The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
…eforgames#1293) * Use a numeric User ID for the agones user This fixes failure of the container to start when run on a system with a PodSecurityPolicy specifying RunAsUser as "MustRunAsNonRoot". * Set group-ownership of files to 'agones' group. Creating a non-system user named 'agones' also creates a group named 'agones'. For consistency, the files should be owned by that group. * Use a numeric User ID in the Debian-based examples This fixes failure of the container to start when run on a system with a PodSecurityPolicy specifying RunAsUser as "MustRunAsNonRoot". * Use a numeric User ID in the Alpine-based examples This fixes failure of the container to start when run on a system with a PodSecurityPolicy specifying RunAsUser as "MustRunAsNonRoot". Signed-off-by: Paul "Hampy" Hampson <p_hampson@wargaming.net>
This fixes failure of the sdk sidecar container to start when run on a system with a
PodSecurityPolicyspecifyingRunAsUseras "MustRunAsNonRoot".Kubernetes cannot determine if a non-numeric User in the container metadata is 'root' or not.
Fixes: #1287