Comments (8)
jharris-
commented on September 28, 2024
2
Should be good to add runAsNonRoot to avoid needing to set the UID/GID.
In addition to the initial request, could you add the agones-gameserver-sidecar to the scope of work?
from agones.
markmandel
commented on September 28, 2024
Not very familiar with these fields - but does it need to be configurable, or is this something we could set ourselves and leave on always?
On Agones we set the user and group, so that probably shouldn't be configurable? And I can't think of a situation where we'd want an Agones Pod to enable allowPrivilegeEscalation?
from agones.
ThatDevopsGuy
commented on September 28, 2024
@markmandel - I can't think of a reason why a game server would require a specific UID/GID. I could imagine that some binaries might want to bind to a privileged port to offer a some sort of file serving in-client (e.g. downloading a missing asset), however.
Perhaps it's best to let it be easily configurable with overrides, should they be needed, but the defaults comply with existing K8S security audits.
from agones.
zmerlynn
commented on September 28, 2024
@jharris- Sure, sounds good!
from agones.
markmandel
commented on September 28, 2024
@markmandel - I can't think of a reason why a game server would require a specific UID/GID.
This ticket isn't for GameServer pods though - you can set whatever you like on there via the GameServer.Spec.Template -- this is for the Agones components themselves.
I'm trying to work out why they should be configurable. It seems like they should be set to optimal values, whatever that may be.
from agones.
ThatDevopsGuy
commented on September 28, 2024
I'm trying to work out why they should be configurable. It seems like they should be set to optimal values, whatever that may be.
Another way to put it might be, is there any reason why runAsNonRoot wouldn't work? I think that might be all we need across the board, so the specific request might be better expressed as such.
from agones.
markmandel
commented on September 28, 2024
Another way to put it might be, is there any reason why runAsNonRoot wouldn't work? I think that might be all we need across the board, so the specific request might be better expressed as such.
I believe we are in furious agreement 😃
from agones.
zmerlynn
commented on September 28, 2024
That's good, because we were going to start with just defaulting this to runAsNonRoot, which will assert that the container images is doing the right thing.
But it's easy enough to make the securityContext blob configurable with that as the default. Are you saying it should not be?
from agones.
Related Issues (20)
- Move Feature GKEAutopilotExtendedDurationPods to Beta HOT 6
- Migration from pterodactyl to agones | Egg like solution | More real steamserver examples
- Issue with Agones Game Server Connectivity Using Cilium CNI HOT 8
- Fleet autoscaler with "List" policy throws an error if configured with a fleet with no replicas HOT 4
- CORS enabled on ping service
- Upgrade to Golang 1.22.6 HOT 2
- Extend Webhook autoscaler to send fleet metadata with the request HOT 4
- Add chain ID status to fleetautoscaler event logger
- FleetAutoscaler with Counter policy trying to scale Fleet to negative replicas count HOT 2
- Add logging to webhook failure and schedule parsing errors for Schedule/Chain policies
- Game servers are having some delays until getting external IPs from agones SDK HOT 1
- Update AWS Provider Version for Terraform module to fix Timeout Rather than Manual Workarounds
- Incorrect error logging caused by ResourceVersion conflict on SDK Patch call HOT 2
- Release 1.43.0 HOT 1
- Support GameServer.Spec.SdkServer.LogLevel "Trace" HOT 1
- Rolling updates do not progress if all game servers in the fleet are in the `Allocated` state
- Doc: "Available metrics" mark up was broken down HOT 1
- Cannot Use Agones SDK Image on Windows 2022 Node Due to Missing os.version in Docker Manifest
- Add Helm Chart Variable for Configuring SIDECAR_IMAGE Independently
- Clarrification on the metric `gameserver_creation_duration`
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from agones.