Revision 4f4e8e9155a6d2639ab02b7de39590bc95ae0c53 authored by Tam Mach on 05 March 2024, 08:34:35 UTC, committed by Julian Wiedmann on 02 April 2024, 17:03:53 UTC
[upstream commit 3166f95] Use cilium-envoy image that drops privileges from the Envoy process before it starts. Envoy now needs to be started as `cilium-envoy-starter`, which drops all privileges before executing `cilium-envoy`. If `cilium-envoy` is executed directly with any privileges, it will terminate with the following error message when any Cilium filters are first configured: "[assert failure: get_capabilities(CAP_EFFECTIVE) == 0 && get_capabilities(CAP_PERMITTED) == 0. Details: cilium-envoy running with privileges, exiting" Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Tam Mach <tam.mach@cilium.io>
1 parent 63859d3
Computing file changes ...