Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

runAsUser SecurityContext not working for windows #797

Merged
merged 2 commits into from
May 30, 2023
Merged

runAsUser SecurityContext not working for windows #797

merged 2 commits into from
May 30, 2023

Conversation

dloucasfx
Copy link
Contributor

@dloucasfx dloucasfx commented May 26, 2023
edited

Based on kubernetes/kubernetes#102849 runAsUser is not currently working for windows.
This prevents the agent from starting

Events:
  Type     Reason             Age   From                     Message
  ----     ------             ----  ----                     -------
  Normal   Scheduled          16s   default-scheduler        Successfully assigned default/splunk-otel-collector-1685115615-agent-gsb8n to ip-10-10-7-216.ec2.internal
  Normal   ResourceAllocated  16s   vpc-resource-controller  Allocated Resource vpc.amazonaws.com/PrivateIPv4Address: 10.10.11.36/19 to the pod
  Warning  FailedMount        16s   kubelet                  MountVolume.SetUp failed for volume "kube-api-access-26vnh" : chown c:\var\lib\kubelet\pods\3905601f-f6c7-401a-a328-e44bf75d80a6\volumes\kubernetes.io~projected\kube-api-access-26vnh\..2023_05_26_15_40_20.3621507769\token: not supported by windows
  Warning  FailedMount        16s   kubelet                  MountVolume.SetUp failed for volume "kube-api-access-26vnh" : chown c:\var\lib\kubelet\pods\3905601f-f6c7-401a-a328-e44bf75d80a6\volumes\kubernetes.io~projected\kube-api-access-26vnh\..2023_05_26_15_40_20.1631205512\token: not supported by windows
  Warning  FailedMount        14s   kubelet                  MountVolume.SetUp failed for volume "kube-api-access-26vnh" : chown c:\var\lib\kubelet\pods\3905601f-f6c7-401a-a328-e44bf75d80a6\volumes\kubernetes.io~projected\kube-api-access-26vnh\..2023_05_26_15_40_22.3704774755\token: not supported by windows
  Warning  FailedMount        12s   kubelet                  MountVolume.SetUp failed for volume "kube-api-access-26vnh" : chown c:\var\lib\kubelet\pods\3905601f-f6c7-401a-a328-e44bf75d80a6\volumes\kubernetes.io~projected\kube-api-access-26vnh\..2023_05_26_15_40_24.1619713144\token: not supported by windows

This PR checks if runAsUser is defined in the securityContext for a windows agent, cluster-receiver and gateway and remove it if it exists.

Finally, I have noticed that revert-patch-log-dirs-hook.yaml is rendered for windows when securityContext.runAsUser and securityContext.runAsGroup are defined, although runAsUser does not work on windows, I aded an extra check to make sure not to bother when it's windows.

Note: I still need to do more validation and testing as we changed some requirements. Still need to recover Fluentd and use the helper in other places

@dloucasfx dloucasfx requested review from a team as code owners May 26, 2023 15:44
@dloucasfx dloucasfx force-pushed the OTL-2182 branch 2 times, most recently from 3a2c95c to 82fc9c9 Compare May 26, 2023 21:06
@dloucasfx dloucasfx changed the title runAsUser SecurityContext not working for windows runAsUser SecurityContext not working for windows (Do Not Merge) May 26, 2023
@dloucasfx dloucasfx force-pushed the OTL-2182 branch 2 times, most recently from 63d29a6 to 76a9b92 Compare May 26, 2023 21:13
@dloucasfx
runAsUser SecurityContext not working for windows
9c5208b 
Signed-off-by: Dani Louca <dlouca@splunk.com>
@dloucasfx dloucasfx changed the title runAsUser SecurityContext not working for windows (Do Not Merge) runAsUser SecurityContext not working for windows May 30, 2023
@dmitryax dmitryax merged commit 6e8a6d1 into main May 30, 2023
7 checks passed
@atoulme atoulme deleted the OTL-2182 branch July 10, 2023 15:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dmitryax dmitryax dmitryax approved these changes

@crobert-1 crobert-1 crobert-1 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@dloucasfx @dmitryax @crobert-1