Repository-Metriken
- Stars
- (27.997 Stars)
- PR-Merge-Metriken
- (Durchschn. Merge 8T) (378 gemergte PRs in 30 T)
Beschreibung
Description: Some organizations have podsecuritypolicies that prevent containers from running as root.
https://github.com/envoyproxy/envoy/blob/main/ci/docker-entrypoint.sh#L27 https://github.com/envoyproxy/envoy/blob/main/ci/Dockerfile-envoy#L26
After reading the dockerfile and entrypoint script it seems that the container starts off as root but later su-execs to be the envoy user. This isn't good enough for Kubernetes which still sees a container being started as root.
Is there ever a reason to allow Envoy to run as root rather than just doing the logic of the entrypoint script right in the dockerfile with a USER envoy directive?
[optional Relevant Links:] In the knative kourier project envoy is leveraged but envoy is ran as root https://github.com/knative-sandbox/net-kourier/pull/593 https://github.com/knative/operator/issues/710