仓库指标
- Star
- (27,997 star)
- PR 合并指标
- (平均合并 8天) (30 天内合并 378 个 PR)
描述
Description: Some organizations have podsecuritypolicies that prevent containers from running as root.
https://github.com/envoyproxy/envoy/blob/main/ci/docker-entrypoint.sh#L27 https://github.com/envoyproxy/envoy/blob/main/ci/Dockerfile-envoy#L26
After reading the dockerfile and entrypoint script it seems that the container starts off as root but later su-execs to be the envoy user. This isn't good enough for Kubernetes which still sees a container being started as root.
Is there ever a reason to allow Envoy to run as root rather than just doing the logic of the entrypoint script right in the dockerfile with a USER envoy directive?
[optional Relevant Links:] In the knative kourier project envoy is leveraged but envoy is ran as root https://github.com/knative-sandbox/net-kourier/pull/593 https://github.com/knative/operator/issues/710