Metriche repository
- Star
- (27.997 star)
- Metriche merge PR
- (Merge medio 8g) (378 PR mergiate in 30 g)
Descrizione
Description: Some organizations have podsecuritypolicies that prevent containers from running as root.
https://github.com/envoyproxy/envoy/blob/main/ci/docker-entrypoint.sh#L27 https://github.com/envoyproxy/envoy/blob/main/ci/Dockerfile-envoy#L26
After reading the dockerfile and entrypoint script it seems that the container starts off as root but later su-execs to be the envoy user. This isn't good enough for Kubernetes which still sees a container being started as root.
Is there ever a reason to allow Envoy to run as root rather than just doing the logic of the entrypoint script right in the dockerfile with a USER envoy directive?
[optional Relevant Links:] In the knative kourier project envoy is leveraged but envoy is ran as root https://github.com/knative-sandbox/net-kourier/pull/593 https://github.com/knative/operator/issues/710