Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[auto-instrumentation] Init containers image run as root prevents usage of auto-injection where OPA Policies enforce runAsNonRoot #2272

Open
santhotech opened this issue Oct 24, 2023 · 4 comments
Open

[auto-instrumentation] Init containers image run as root prevents usage of auto-injection where OPA Policies enforce runAsNonRoot #2272

santhotech opened this issue Oct 24, 2023 · 4 comments
Labels
area:auto-instrumentation Issues for auto-instrumentation bug Something isn't working needs-info

Comments

@santhotech
Copy link

Component(s)

instrumentation

What happened?

Description

With the recent release of operators, the init-containers takes the securityContext of the container where they are injecting the instrumentation libraries . However, several enterprises enforce runAsNonRoot to be true in the application containers through OPA policies. With this update, when the initContainers inherit runAsNonRoot, they are erroring out with the following error
"Error: container has runAsNonRoot and image will run as root (pod: xxx, container: opentelemetry-auto-instrumentation-java)

Steps to Reproduce

  1. Created a pod with a container running a basic java application
  2. Set the container securityContext to have runAsNonRoot: true
  3. Create an instrumentation object
  4. Add the auto-instrumentation annotation to the container where instrumentation is required - instrumentation.opentelemetry.io/inject-java: true

Expected Result

The initContainer should come up successfully and inject the instrumentation libraries

Actual Result

The initContainer fails to come up with the error mentioned above.

Kubernetes Version

1.23.0

Operator version

0.87.0

Collector version

0.87.0

Environment information

No response

Log output

No response

Additional context

No response
@santhotech santhotech added bug Something isn't working needs triage labels Oct 24, 2023
@TylerHelmuth TylerHelmuth added area:auto-instrumentation Issues for auto-instrumentation and removed needs triage labels Oct 24, 2023
@TylerHelmuth
Copy link
Member

TylerHelmuth commented Oct 24, 2023
edited
Loading

@santhotech I was not able to reproduce this problem locally yet. When I set runAsNonRoot: true on the application container the SecurityContext, including runAsNonRoot, is correctly copied to the initContainer which runs as expected.

@santhotech
Copy link
Author

@TylerHelmuth I noticed I have not mentioned, I am using auto-instrumentation-java image version 1.31.0, I was able to replicate it again. Can you clarify if this is the same version you tried?

@TylerHelmuth
Copy link
Member

@santhotech are you able to reproduce this issue in a local kind cluster

@vickas522
Copy link

@santhotech , Hey santosh , were you able to fix it ? I want to auto instrument open telemetry agent to pod having securitycontext set to runAsNonRoot: true.

@lisguo lisguo mentioned this issue Jan 10, 2024
Closed
@lisguo lisguo mentioned this issue Jan 19, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area:auto-instrumentation Issues for auto-instrumentation bug Something isn't working needs-info
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@santhotech @pavolloffay @TylerHelmuth @vickas522