diff --git a/chart/chart-index/Chart.yaml b/chart/chart-index/Chart.yaml index 64c0b4d80d..3e5d9ad76a 100644 --- a/chart/chart-index/Chart.yaml +++ b/chart/chart-index/Chart.yaml @@ -41,7 +41,7 @@ dependencies: version: 1.26.1 repository: https://istio-release.storage.googleapis.com/charts - name: istiod - version: 1.26.1 + version: 1.26.2 repository: https://istio-release.storage.googleapis.com/charts - name: jaeger-operator version: 2.46.0 diff --git a/charts/istiod/Chart.yaml b/charts/istiod/Chart.yaml index fd94f0a1ff..68663298a4 100644 --- a/charts/istiod/Chart.yaml +++ b/charts/istiod/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.26.1 +appVersion: 1.26.2 description: Helm chart for istio control plane icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ keywords: name: istiod sources: - https://github.com/istio/istio -version: 1.26.1 +version: 1.26.2 diff --git a/charts/istiod/files/injection-template.yaml b/charts/istiod/files/injection-template.yaml index d8b96ffdcc..1c13d94d64 100644 --- a/charts/istiod/files/injection-template.yaml +++ b/charts/istiod/files/injection-template.yaml @@ -25,6 +25,7 @@ {{- end }} {{- end }} {{ $nativeSidecar := (or (and (not (isset .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`)) (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true")) (eq (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`) "true")) }} +{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }} {{- $containers := list }} {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} metadata: @@ -94,7 +95,7 @@ spec: - "-z" - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} - "-u" - - {{ .ProxyUID | default "1337" | quote }} + - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }} - "-m" - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - "-i" @@ -167,8 +168,8 @@ spec: runAsUser: 0 {{- else }} readOnlyRootFilesystem: true - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }} + runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }} runAsNonRoot: true {{- end }} {{ end -}} @@ -388,13 +389,14 @@ spec: - ALL privileged: {{ .Values.global.proxy.privileged }} readOnlyRootFilesystem: true - runAsGroup: {{ .ProxyGID | default "1337" }} - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + {{ if or ($tproxy) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} runAsNonRoot: false runAsUser: 0 + runAsGroup: 1337 {{- else -}} runAsNonRoot: true runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} {{- end }} {{- end }} resources: diff --git a/charts/istiod/values.yaml b/charts/istiod/values.yaml index e00514b0a7..8f62471c87 100644 --- a/charts/istiod/values.yaml +++ b/charts/istiod/values.yaml @@ -246,7 +246,7 @@ _internal_defaults_do_not_set: # Dev builds from prow are on gcr.io hub: docker.io/istio # Default tag for Istio images. - tag: 1.26.1 + tag: 1.26.2 # Variant of the image to use. # Currently supported are: [debug, distroless] variant: ""