diff --git a/bundle/manifests/sailoperator.clusterserviceversion.yaml b/bundle/manifests/sailoperator.clusterserviceversion.yaml index 660d28bc0..32aeb00c1 100644 --- a/bundle/manifests/sailoperator.clusterserviceversion.yaml +++ b/bundle/manifests/sailoperator.clusterserviceversion.yaml @@ -34,7 +34,7 @@ metadata: capabilities: Seamless Upgrades categories: OpenShift Optional, Integration & Delivery, Networking, Security containerImage: quay.io/maistra-dev/sail-operator:0.2-latest - createdAt: "2024-10-11T11:23:10Z" + createdAt: "2024-10-12T05:18:57Z" description: Experimental operator for installing Istio service mesh features.operators.openshift.io/cnf: "false" features.operators.openshift.io/cni: "true" @@ -374,7 +374,7 @@ spec: - v1.23.2 - v1.22.5 - v1.21.6 - - latest (67753026) + - latest (a53849ef) [See this page](https://github.com/istio-ecosystem/sail-operator/blob/main/bundle/README.md) for instructions on how to use it. displayName: Sail Operator @@ -598,10 +598,10 @@ spec: template: metadata: annotations: - images.latest.cni: gcr.io/istio-testing/install-cni:1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 - images.latest.istiod: gcr.io/istio-testing/pilot:1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 - images.latest.proxy: gcr.io/istio-testing/proxyv2:1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 - images.latest.ztunnel: gcr.io/istio-testing/ztunnel:1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 + images.latest.cni: gcr.io/istio-testing/install-cni:1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce + images.latest.istiod: gcr.io/istio-testing/pilot:1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce + images.latest.proxy: gcr.io/istio-testing/proxyv2:1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce + images.latest.ztunnel: gcr.io/istio-testing/ztunnel:1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce images.v1_21_6.cni: docker.io/istio/install-cni:1.21.6 images.v1_21_6.istiod: docker.io/istio/pilot:1.21.6 images.v1_21_6.proxy: docker.io/istio/proxyv2:1.21.6 @@ -767,13 +767,13 @@ spec: provider: name: Red Hat, Inc. relatedImages: - - image: gcr.io/istio-testing/install-cni:1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 + - image: gcr.io/istio-testing/install-cni:1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce name: latest.cni - - image: gcr.io/istio-testing/pilot:1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 + - image: gcr.io/istio-testing/pilot:1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce name: latest.istiod - - image: gcr.io/istio-testing/proxyv2:1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 + - image: gcr.io/istio-testing/proxyv2:1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce name: latest.proxy - - image: gcr.io/istio-testing/ztunnel:1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 + - image: gcr.io/istio-testing/ztunnel:1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce name: latest.ztunnel - image: docker.io/istio/install-cni:1.21.6 name: v1_21_6.cni diff --git a/chart/values.yaml b/chart/values.yaml index d26e83ca7..785c06958 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -21,7 +21,7 @@ csv: - v1.23.2 - v1.22.5 - v1.21.6 - - latest (67753026) + - latest (a53849ef) [See this page](https://github.com/istio-ecosystem/sail-operator/blob/main/bundle/README.md) for instructions on how to use it. support: Community based diff --git a/go.mod b/go.mod index 8089c8e30..f43016077 100644 --- a/go.mod +++ b/go.mod @@ -24,7 +24,7 @@ require ( gopkg.in/yaml.v3 v3.0.1 helm.sh/helm/v3 v3.16.1 istio.io/client-go v1.23.0-alpha.0.0.20241011000732-f46eea8919cd - istio.io/istio v0.0.0-20241011003352-6775302647bc + istio.io/istio v0.0.0-20241012000449-a53849ef4734 k8s.io/api v0.31.1 k8s.io/apiextensions-apiserver v0.31.1 k8s.io/apimachinery v0.31.1 diff --git a/go.sum b/go.sum index 7cb5d3401..7ec802631 100644 --- a/go.sum +++ b/go.sum @@ -493,8 +493,8 @@ istio.io/api v1.23.0-alpha.0.0.20241011000314-650491578381 h1:ZgYTwI0GqRLuany0gL istio.io/api v1.23.0-alpha.0.0.20241011000314-650491578381/go.mod h1:MQnRok7RZ20/PE56v0LxmoWH0xVxnCQPNuf9O7PAN1I= istio.io/client-go v1.23.0-alpha.0.0.20241011000732-f46eea8919cd h1:rghOYcynTAXYGRJXkZjxAogTbNQE+ROTWPaGTcd84bM= istio.io/client-go v1.23.0-alpha.0.0.20241011000732-f46eea8919cd/go.mod h1:oECxINJDBsN7AtQjcZVBQqQ73FHeYw6D3ihspfN7PDs= -istio.io/istio v0.0.0-20241011003352-6775302647bc h1:M6v0V3rsgXwkZyIYjALQSHJk/0W1jdbHNFMsj+jHLOE= -istio.io/istio v0.0.0-20241011003352-6775302647bc/go.mod h1:OjXgkrdrI5myoxr0eDxoWm+q5kFrcgLNlJLRvGd5ZIk= +istio.io/istio v0.0.0-20241012000449-a53849ef4734 h1:MAqw2g72/EyyZey+CYD4G1CNf77ljUuI5n1ushpOAR8= +istio.io/istio v0.0.0-20241012000449-a53849ef4734/go.mod h1:OjXgkrdrI5myoxr0eDxoWm+q5kFrcgLNlJLRvGd5ZIk= k8s.io/api v0.31.1 h1:Xe1hX/fPW3PXYYv8BlozYqw63ytA92snr96zMW9gWTU= k8s.io/api v0.31.1/go.mod h1:sbN1g6eY6XVLeqNsZGLnI5FwVseTrZX7Fv3O26rhAaI= k8s.io/apiextensions-apiserver v0.31.1 h1:L+hwULvXx+nvTYX/MKM3kKMZyei+UiSXQWciX/N6E40= diff --git a/resources/latest/charts/base/Chart.yaml b/resources/latest/charts/base/Chart.yaml index 345eaa359..985cf5b56 100644 --- a/resources/latest/charts/base/Chart.yaml +++ b/resources/latest/charts/base/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 +appVersion: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce description: Helm chart for deploying Istio cluster resources and CRDs icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -7,4 +7,4 @@ keywords: name: base sources: - https://github.com/istio/istio -version: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 +version: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce diff --git a/resources/latest/charts/base/files/profile-platform-openshift.yaml b/resources/latest/charts/base/files/profile-platform-openshift.yaml index 69eda2b1d..8ddc5e165 100644 --- a/resources/latest/charts/base/files/profile-platform-openshift.yaml +++ b/resources/latest/charts/base/files/profile-platform-openshift.yaml @@ -15,3 +15,5 @@ pilot: provider: "multus" seLinuxOptions: type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/resources/latest/charts/cni/Chart.yaml b/resources/latest/charts/cni/Chart.yaml index 0fff3f1f3..e9ddea890 100644 --- a/resources/latest/charts/cni/Chart.yaml +++ b/resources/latest/charts/cni/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 +appVersion: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce description: Helm chart for istio-cni components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: cni sources: - https://github.com/istio/istio -version: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 +version: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce diff --git a/resources/latest/charts/cni/files/profile-platform-openshift.yaml b/resources/latest/charts/cni/files/profile-platform-openshift.yaml index 69eda2b1d..8ddc5e165 100644 --- a/resources/latest/charts/cni/files/profile-platform-openshift.yaml +++ b/resources/latest/charts/cni/files/profile-platform-openshift.yaml @@ -15,3 +15,5 @@ pilot: provider: "multus" seLinuxOptions: type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/resources/latest/charts/cni/templates/daemonset.yaml b/resources/latest/charts/cni/templates/daemonset.yaml index 2ce4a0665..35cae7cb1 100644 --- a/resources/latest/charts/cni/templates/daemonset.yaml +++ b/resources/latest/charts/cni/templates/daemonset.yaml @@ -89,15 +89,13 @@ spec: path: /readyz port: 8000 securityContext: - privileged: true # always requires privilege to be useful (install node plugin, etc) + privileged: false runAsGroup: 0 runAsUser: 0 runAsNonRoot: false # Both ambient and sidecar repair mode require elevated node privileges to function. - # But we don't need _everything_ in `privileged`, so drop+readd capabilities based on feature. - # privileged is redundant with CAP_SYS_ADMIN - # since it's redundant, hardcode it to `true`, then manually drop ALL + readd granular - # capabilities we actually require + # But we don't need _everything_ in `privileged`, so explicitly set it to false and + # add capabilities based on feature. capabilities: drop: - ALL @@ -106,9 +104,12 @@ spec: - NET_ADMIN # CAP_NET_RAW is required to allow iptables mutation of the `nat` table - NET_RAW + # CAP_SYS_PTRACE is required for repair mode to describe the pod's network namespace + # in ambient and repair mode. + - SYS_PTRACE # CAP_SYS_ADMIN is required for both ambient and repair, in order to open - # network namespaces in `/proc` to obtain descriptors for entering pod netnamespaces. - # There does not appear to be a more granular capability for this. + # network namespaces in `/proc` to obtain descriptors for entering pod network + # namespaces. There does not appear to be a more granular capability for this. - SYS_ADMIN {{- if .Values.seccompProfile }} seccompProfile: diff --git a/resources/latest/charts/cni/values.yaml b/resources/latest/charts/cni/values.yaml index 1c657abb1..0f04c3fd7 100644 --- a/resources/latest/charts/cni/values.yaml +++ b/resources/latest/charts/cni/values.yaml @@ -112,7 +112,7 @@ _internal_defaults_do_not_set: hub: gcr.io/istio-testing # Default tag for Istio images. - tag: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 + tag: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce # Variant of the image to use. # Currently supported are: [debug, distroless] diff --git a/resources/latest/charts/gateway/Chart.yaml b/resources/latest/charts/gateway/Chart.yaml index b385daacc..d5ca64be5 100644 --- a/resources/latest/charts/gateway/Chart.yaml +++ b/resources/latest/charts/gateway/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 +appVersion: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce description: Helm chart for deploying Istio gateways icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ name: gateway sources: - https://github.com/istio/istio type: application -version: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 +version: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce diff --git a/resources/latest/charts/gateway/files/profile-platform-openshift.yaml b/resources/latest/charts/gateway/files/profile-platform-openshift.yaml index 69eda2b1d..8ddc5e165 100644 --- a/resources/latest/charts/gateway/files/profile-platform-openshift.yaml +++ b/resources/latest/charts/gateway/files/profile-platform-openshift.yaml @@ -15,3 +15,5 @@ pilot: provider: "multus" seLinuxOptions: type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/resources/latest/charts/istiod/Chart.yaml b/resources/latest/charts/istiod/Chart.yaml index 61f8db36e..ac161076c 100644 --- a/resources/latest/charts/istiod/Chart.yaml +++ b/resources/latest/charts/istiod/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 +appVersion: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce description: Helm chart for istio control plane icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ keywords: name: istiod sources: - https://github.com/istio/istio -version: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 +version: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce diff --git a/resources/latest/charts/istiod/files/profile-platform-openshift.yaml b/resources/latest/charts/istiod/files/profile-platform-openshift.yaml index 69eda2b1d..8ddc5e165 100644 --- a/resources/latest/charts/istiod/files/profile-platform-openshift.yaml +++ b/resources/latest/charts/istiod/files/profile-platform-openshift.yaml @@ -15,3 +15,5 @@ pilot: provider: "multus" seLinuxOptions: type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/resources/latest/charts/istiod/values.yaml b/resources/latest/charts/istiod/values.yaml index 0c3203a58..e2aea83bb 100644 --- a/resources/latest/charts/istiod/values.yaml +++ b/resources/latest/charts/istiod/values.yaml @@ -242,7 +242,7 @@ _internal_defaults_do_not_set: # Dev builds from prow are on gcr.io hub: gcr.io/istio-testing # Default tag for Istio images. - tag: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 + tag: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce # Variant of the image to use. # Currently supported are: [debug, distroless] variant: "" diff --git a/resources/latest/charts/ztunnel/Chart.yaml b/resources/latest/charts/ztunnel/Chart.yaml index 4286088ce..5955f3f17 100644 --- a/resources/latest/charts/ztunnel/Chart.yaml +++ b/resources/latest/charts/ztunnel/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 +appVersion: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce description: Helm chart for istio ztunnel components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: ztunnel sources: - https://github.com/istio/istio -version: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 +version: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce diff --git a/resources/latest/charts/ztunnel/files/profile-platform-openshift.yaml b/resources/latest/charts/ztunnel/files/profile-platform-openshift.yaml index 69eda2b1d..8ddc5e165 100644 --- a/resources/latest/charts/ztunnel/files/profile-platform-openshift.yaml +++ b/resources/latest/charts/ztunnel/files/profile-platform-openshift.yaml @@ -15,3 +15,5 @@ pilot: provider: "multus" seLinuxOptions: type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/resources/latest/charts/ztunnel/values.yaml b/resources/latest/charts/ztunnel/values.yaml index d1a2a7c04..f28b7c2ee 100644 --- a/resources/latest/charts/ztunnel/values.yaml +++ b/resources/latest/charts/ztunnel/values.yaml @@ -4,7 +4,7 @@ _internal_defaults_do_not_set: # Hub to pull from. Image will be `Hub/Image:Tag-Variant` hub: gcr.io/istio-testing # Tag to pull from. Image will be `Hub/Image:Tag-Variant` - tag: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 + tag: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. variant: "" diff --git a/versions.yaml b/versions.yaml index 754b18f64..c8894a70e 100644 --- a/versions.yaml +++ b/versions.yaml @@ -43,13 +43,13 @@ versions: - https://istio-release.storage.googleapis.com/charts/cni-1.21.6.tgz - https://istio-release.storage.googleapis.com/charts/ztunnel-1.21.6.tgz - name: latest - version: 1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811 + version: 1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce repo: https://github.com/istio/istio branch: master - commit: 6775302647bcdb6c742b5c505945ee7a8911d811 + commit: a53849ef473456ec1c6c178d94ca57bc4aa024ce charts: - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811/helm/base-1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811/helm/cni-1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811/helm/gateway-1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811/helm/istiod-1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811/helm/ztunnel-1.24-alpha.6775302647bcdb6c742b5c505945ee7a8911d811.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce/helm/base-1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce/helm/cni-1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce/helm/gateway-1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce/helm/istiod-1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce/helm/ztunnel-1.24-alpha.a53849ef473456ec1c6c178d94ca57bc4aa024ce.tgz