-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace run-proxy.sh with a binary #6172
Comments
tskinn
added a commit
to tskinn/linkerd2
that referenced
this issue
Jun 5, 2021
A docker image with a shell is required to run the identity helper The logic for the identity helper shell script docker entry point has been moved into proxy-identity/main.go and the docker file has been updated to reflect the removal of the run-proxy.sh script none Fixes linkerd#6172 Signed-off-by: Taylor Skinner <tskinn12@gmail.com>
tskinn
added a commit
to tskinn/linkerd2
that referenced
this issue
Jun 11, 2021
A docker image with a shell is required to run the identity helper The logic for the identity helper shell script docker entry point has been moved into proxy-identity/main.go and the docker file has been updated to reflect the removal of the run-proxy.sh script none Fixes linkerd#6172 Signed-off-by: Taylor Skinner <tskinn12@gmail.com>
tskinn
added a commit
to tskinn/linkerd2
that referenced
this issue
Jun 11, 2021
A docker image with a shell is required to run the identity helper The logic for the identity helper shell script docker entry point has been moved into proxy-identity/main.go and the docker file has been updated to reflect the removal of the run-proxy.sh script none Fixes linkerd#6172 Signed-off-by: Taylor Skinner <tskinn12@gmail.com>
kleimkuhler
pushed a commit
that referenced
this issue
Jun 11, 2021
A docker image with a shell is required to run the identity helper which is undesirable. The logic for the identity helper shell script docker entry point has been moved into proxy-identity/main.go and the docker file has been updated to reflect the removal of the run-proxy.sh script Fixes #6172 Signed-off-by: Taylor Skinner <tskinn12@gmail.com>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
To support #5198, we should use a
distroless
image for the proxy's runtime (see #6165).In order to move to a more restricted container image, we can't rely on a shell being present in the runtime container, however the proxy is started by an init script
linkerd2/proxy-identity/run-proxy.sh
Lines 1 to 10 in e784b5b
We should either rewrite this as a small standalone binary or fold this logic directly into the identity helper and then update the proxy's dockerfile (as in https://github.com/linkerd/linkerd2/blob/d8f010d8ceedaba6f0509a3c5539c5a50844f4f4/Dockerfile-proxy) to use a restricted runtime image.
The text was updated successfully, but these errors were encountered: