Skip to content

Revert "[Issue 8751] Update Dockerfile for Pulsar and Dashboard to Cr… #10861

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
codelipenghui merged 2 commits into from
Jun 8, 2021
Merged

Revert "[Issue 8751] Update Dockerfile for Pulsar and Dashboard to Cr… #10861

codelipenghui merged 2 commits into from
Jun 8, 2021

Conversation

@merlimat
Copy link
Contributor

@merlimat merlimat commented Jun 8, 2021

…eate and Use pulsar User (nonroot user) (#8796)"

This reverts commit 4264a67.

Motivation

The change #8796 has broken the Pulsar
Functions running on Kubernetes.

The Pulsar Functions Kubernetes runtime generates a secret and mounts it
using mode 256. That means the secret is only able to read by the user.
The StatefulSet created by Kubernetes runtime mounts the secrets under the
root user. Hence only the root user is able to read the secret. This
results in any functions submitted will fail to read the authentication
information.

Because all the Kubernetes resources generated by the Kubernetes runtime
are hardcoded. There is no easy way to change the security context for the
function statefulsets.

Let's revert this change for 2.8.0, until we can address the issues in the Kubernetes runtime.

@merlimat
Revert "[Issue 8751] Update Dockerfile for Pulsar and Dashboard to Cr…
2a7a3f7 
…eate and Use pulsar User (nonroot user) (apache#8796)"

This reverts commit 4264a67.
@merlimat merlimat added type/bug The PR fixed a bug or issue reported a bug area/function release/blocker Indicate the PR or issue that should block the release until it gets resolved labels Jun 8, 2021
@merlimat merlimat added this to the 2.8.0 milestone Jun 8, 2021
@codelipenghui codelipenghui merged commit 4f556a2 into apache:master Jun 8, 2021
codelipenghui pushed a commit that referenced this pull request Jun 8, 2021
@merlimat @codelipenghui
Revert "[Issue 8751] Update Dockerfile for Pulsar and Dashboard to Cr… (
63126b9 
#10861)

This reverts commit 4264a67.

### Motivation

The change #8796 has broken the Pulsar
Functions running on Kubernetes.

The Pulsar Functions Kubernetes runtime generates a secret and mounts it
using mode `256`. That means the secret is only able to read by the user.
The StatefulSet created by Kubernetes runtime mounts the secrets under the
`root` user. Hence only the root user is able to read the secret. This
results in any functions submitted will fail to read the authentication
information.

Because all the Kubernetes resources generated by the Kubernetes runtime
are hardcoded. There is no easy way to change the security context for the
function statefulsets. 

Let's revert this change for 2.8.0, until we can address the issues in the Kubernetes runtime.

(cherry picked from commit 4f556a2)
@merlimat merlimat deleted the revert-non-root branch June 8, 2021 05:09
yangl pushed a commit to yangl/pulsar that referenced this pull request Jun 23, 2021
@merlimat @yangl
Revert "[Issue 8751] Update Dockerfile for Pulsar and Dashboard to Cr… (
fbc66a3 
apache#10861)

This reverts commit 4264a67.

### Motivation

The change apache#8796 has broken the Pulsar
Functions running on Kubernetes.

The Pulsar Functions Kubernetes runtime generates a secret and mounts it
using mode `256`. That means the secret is only able to read by the user.
The StatefulSet created by Kubernetes runtime mounts the secrets under the
`root` user. Hence only the root user is able to read the secret. This
results in any functions submitted will fail to read the authentication
information.

Because all the Kubernetes resources generated by the Kubernetes runtime
are hardcoded. There is no easy way to change the security context for the
function statefulsets. 

Let's revert this change for 2.8.0, until we can address the issues in the Kubernetes runtime.
@frankjkelly frankjkelly mentioned this pull request Jul 8, 2021
Closed
@michaeljmarshall michaeljmarshall mentioned this pull request Jul 8, 2021
Closed
@sijie sijie mentioned this pull request Jul 9, 2021
Open
bharanic-dev pushed a commit to bharanic-dev/pulsar that referenced this pull request Mar 18, 2022
@merlimat @splunk-xingw
Revert "[Issue 8751] Update Dockerfile for Pulsar and Dashboard to Cr… (
3053220 
apache#10861)

This reverts commit 4264a67.

### Motivation

The change apache#8796 has broken the Pulsar
Functions running on Kubernetes.

The Pulsar Functions Kubernetes runtime generates a secret and mounts it
using mode `256`. That means the secret is only able to read by the user.
The StatefulSet created by Kubernetes runtime mounts the secrets under the
`root` user. Hence only the root user is able to read the secret. This
results in any functions submitted will fail to read the authentication
information.

Because all the Kubernetes resources generated by the Kubernetes runtime
are hardcoded. There is no easy way to change the security context for the
function statefulsets. 

Let's revert this change for 2.8.0, until we can address the issues in the Kubernetes runtime.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sijie sijie sijie approved these changes

@freeznet freeznet freeznet approved these changes

@hangc0276 hangc0276 hangc0276 approved these changes

@codelipenghui codelipenghui codelipenghui approved these changes

Assignees

@merlimat merlimat

Labels

area/function release/blocker Indicate the PR or issue that should block the release until it gets resolved type/bug The PR fixed a bug or issue reported a bug

Projects

None yet

Milestone

2.8.0

Development

Successfully merging this pull request may close these issues.

5 participants

@merlimat @sijie @freeznet @hangc0276 @codelipenghui