Open Policy Agent
v0.58.0 release notes mention all images running rootless #527
Replies: 3 comments 1 reply
-
|
Hi @leefernandes 👋 Yeah that was an issue with the envoy image. Should be fixed in v0.59.0. See open-policy-agent/opa#6394 |
Beta Was this translation helpful? Give feedback.
-
|
Thanks @anderseknert ! Looks like 0.59 was released 3 hours ago, looking forward to the 0.59-envoy image 👍 |
Beta Was this translation helpful? Give feedback.
-
|
@anderseknert In 0.59.0-envoy there is still a static image using a root user 0, and a separate rootless image using user 1000. Do you know if there are any notes on the differences between the envoy images? I'm looking to find out why the static image isn't using user 1000. Using the following image I continue to get a root user warning. container_pull(
name = "opa-envoy",
digest = "sha256:b9eb4c50bfbcc38626318a1485f6a13867c1dd034b3cdc6b897f4f4012e02e66",
registry = "docker.io",
repository = "openpolicyagent/opa",
tag = "opa:0.59.0-envoy-static",
)"msg": "OPA running with uid or gid 0. Running OPA with root privileges is not recommended."Maybe the note regarding rootless is just not intended for envoy static images? |
Beta Was this translation helpful? Give feedback.
-
|
@leefernandes currently this only applies to OPA images and not the plugin. For the plugin only the |
Beta Was this translation helpful? Give feedback.
-
https://github.com/open-policy-agent/opa/releases/tag/v0.58.0
But that's not entirely accurate. Does anyone know why static images still run root?
https://hub.docker.com/layers/openpolicyagent/opa/0.58.0-envoy-11-static/images/sha256-733241fcf4e5ee2297e351f33233898e687ebc065979a71162cddaffbe163d20?context=explore
Beta Was this translation helpful? Give feedback.
All reactions