-
Notifications
You must be signed in to change notification settings - Fork 1
/
Dockerfile.proxy
26 lines (20 loc) · 1.27 KB
/
Dockerfile.proxy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
FROM centos:7
RUN curl -Ls https://copr.fedorainfracloud.org/coprs/g/openshift-istio/istio-daily/repo/epel-7/group_openshift-istio-istio-daily-epel-7.repo -o /etc/yum.repos.d/openshift-istio-istio-daily-epel-7.repo && \
yum upgrade -y && \
yum install -y istio-proxy istio-pilot-agent && \
yum clean all
# pilot-agent and envoy may run with effective uid 0 in order to run envoy with
# CAP_NET_ADMIN, so any iptables rule matching on "-m owner --uid-owner
# istio-proxy" will not match connections from those processes anymore.
# Instead, rely on the process's effective gid being istio-proxy and create a
# "-m owner --gid-owner istio-proxy" iptables rule in istio-iptables.sh.
# TODO: disabling due to https://github.com/istio/istio/issues/5745
# RUN \
# chgrp 1337 /usr/local/bin/envoy /usr/local/bin/pilot-agent && \
# chmod 2755 /usr/local/bin/envoy /usr/local/bin/pilot-agent
ADD artifacts/envoy_pilot.yaml.tmpl /etc/istio/proxy/envoy_pilot.yaml.tmpl
ADD artifacts/envoy_policy.yaml.tmpl /etc/istio/proxy/envoy_policy.yaml.tmpl
ADD artifacts/envoy_telemetry.yaml.tmpl /etc/istio/proxy/envoy_telemetry.yaml.tmpl
COPY artifacts/envoy_bootstrap_tmpl.json /var/lib/istio/envoy/envoy_bootstrap_tmpl.json
# The pilot-agent will bootstrap Envoy.
ENTRYPOINT ["/usr/local/bin/pilot-agent"]