-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix permission issue when copying cni plugins onto host path #24891
Conversation
As well, thanks for the contribution! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
I'm surprised this is necessary - @JohnJAS, what sort of issues did you have? Why was the |
@squeed If cilium agent pod was started as root user, the root user inside container could not directly copy stuffs to the cni folder on hostpath which was not owned by root user. A root user inside a container is not equal to the root user on the host machine. It needs cilium/install/kubernetes/cilium/templates/cilium-agent/daemonset.yaml Lines 469 to 471 in 5ca3696
IMO, if mount-cgroup container has the privileged flag, the same as install-cni-binaries .
Please refer to more details in #24889. |
Huh. "works on my machine", but clearly this fixes a real issue. LGTM. |
/test |
1 similar comment
/test |
hi @gandro, i found that the CI test failed due to the connection timed out, but i think it was not related to the code change. |
At the moment, only contributors with the commit bit can trigger the tests. Feel free to ping me or
There are multiple different test failures. Many of them have Cilium in a CrashLoopBackoff. Just looking at "Suite-k8s-1.25.K8sDatapathConfig Transparent encryption DirectRouting Check connectivity with transparent encryption and direct routing with bpf_host", the reason for the crash is:
This is fortunately an unrelated issue: We recently renamed that flag and the test driver code is using the new flag, where as you branch does not yet understand it. Could you rebase your PR on main to pull in the recent changes? After that, we can re-run CI again and triage the failures again. |
Signed-off-by: Joseph Sheng <jiajun.sheng@microfocus.com>
@gandro it's done, thanks for the reply ;-) |
/test |
Fix permission issue when copying cni plugins onto host path.
The root cause is that the init container 'install-cni-binaries' didn't have securityContext.privileged settings inside the yaml like other init containers do. It leads to that it failed to copy cni binaries onto the hostpath which has no root permisison.
Fixes: #24889
Signed-off-by: Joseph Sheng jiajun.sheng@microfocus.com