Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove rootless images from build process #558

Merged
merged 1 commit into from
Jun 25, 2024
Merged

Remove rootless images from build process #558

merged 1 commit into from
Jun 25, 2024

Conversation

tjons
Copy link
Collaborator

@tjons tjons commented Jun 11, 2024

Resolves open-policy-agent/opa#6810 by removing rootless images from the Makefile, and thus, from the build/release process for opa-envoy-plugin.

@charlieegan3
Copy link
Contributor

Hey Tyler, thanks for picking this one up!

I think the first thing we need to do is to set the user arg to non root: https://github.com/open-policy-agent/opa-envoy-plugin/blob/main/Dockerfile#L13C1-L13C11, similar to this: https://github.com/open-policy-agent/opa/blob/b463d30028d927a00bf0143d6fbf0533bf5d6783/Dockerfile#L15

Then we can get a release out and share that that the default user has been updated to non-root.

Either in the same release, or in a follow on release, we can do as you have here, where we drop the rootless tags. We've made a big noise about the end of rootless images in the past for opa, but it might be good to do a final reminder in the next release for opa-envoy too.

@ashutosh-narkar might be able to provide some metrics on the image pulls for the rootless tags. Also Ash, let me know if you think that plan above sounds ok, and if you think we can do the user change and the dropping of the tags in the same release.

@charlieegan3
Copy link
Contributor 

$ docker image inspect openpolicyagent/opa:latest-envoy-static | jq .[0].Config.User
"0"

😞

@tjons
remove rootless images from build process
5575da5 
Signed-off-by: Tyler Schade <tyler.schade@solo.io>
@tjons tjons force-pushed the tjons/6810-remove-rootless-images branch from 5424666 to 5575da5 Compare June 13, 2024 19:38
@tjons
Copy link
Collaborator Author

tjons commented Jun 13, 2024

@charlieegan3 thanks for the pointer about the default user, I missed that part! Would you like me to restore the rootless build targets for that last release? If there are no users I'm not sure that it's necessary but I like the thought you put into this.

@charlieegan3
Copy link
Contributor

Hey, I think that the best course of action is to drop rootless tag at the same time as making the default image use a non-root user.

The rationale here being that we've already spent a lot of time letting users know that rootless images are discontinued and that they are not to be used. Making this change now in opa-envoy will be 'just' updating opa-envoy to be the same as OPA.

Do you think that makes sense too?

charlieegan3
charlieegan3 approved these changes Jun 19, 2024
View reviewed changes
Copy link
Contributor

@charlieegan3 charlieegan3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the work here @tjons 👏

charlieegan3 added a commit to charlieegan3/opa-envoy-plugin that referenced this pull request Jun 25, 2024
@charlieegan3
build: Use chainguard images from dockerhub
f05b661 
Merge after
open-policy-agent#558

Follows open-policy-agent/opa#6830

Signed-off-by: Charlie Egan <charlieegan3@users.noreply.github.com>
@charlieegan3 charlieegan3 mentioned this pull request Jun 25, 2024
Merged
@charlieegan3
Copy link
Contributor

When merging, we should rebase and merge #560 too.

anderseknert
anderseknert approved these changes Jun 25, 2024
View reviewed changes
Copy link
Member

@anderseknert anderseknert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@charlieegan3 charlieegan3 merged commit 2cd5f2b into open-policy-agent:main Jun 25, 2024
8 checks passed
charlieegan3 added a commit to charlieegan3/opa-envoy-plugin that referenced this pull request Jun 25, 2024
@charlieegan3
build: Use chainguard images from dockerhub
557bc2a 
Merge after
open-policy-agent#558

Follows open-policy-agent/opa#6830

Signed-off-by: Charlie Egan <charlieegan3@users.noreply.github.com>
charlieegan3 added a commit that referenced this pull request Jun 25, 2024
@charlieegan3
build: Use chainguard images from dockerhub (#560)
af93d4c 
Merge after
#558

Follows open-policy-agent/opa#6830

Signed-off-by: Charlie Egan <charlieegan3@users.noreply.github.com>
Co-authored-by: Charlie Egan <charlieegan3@users.noreply.github.com>
@tjons tjons deleted the tjons/6810-remove-rootless-images branch June 25, 2024 16:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@charlieegan3 charlieegan3 charlieegan3 approved these changes

@anderseknert anderseknert anderseknert approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Cease pushing of opa-envoy rootless images
3 participants
@tjons @charlieegan3 @anderseknert