Description:
The ai-gateway-controller v0.5.0 webhook injects an initContainer ai-gateway-extproc with a hardcoded runAsUser: 65532 when mutating Envoy Gateway pods. This prevents deployment on OpenShift clusters using the default restricted or restricted-v2 Security Context Constraint (SCC), which requires UIDs within a namespace-allocated range (e.g., 1001540000-1001549999).
The main envoy and shutdown-manager containers correctly respect the EnvoyProxy securityContext: {} spec (fixed in Envoy Gateway v1.3 via PR envoyproxy/gateway#4938). However, the ai-gateway-extproc initContainer ignores the EnvoyProxy configuration.
Pod spec after webhook mutation:
initContainers:
- name: ai-gateway-extproc
image: docker.io/envoyproxy/ai-gateway-extproc:v0.5.0
securityContext:
runAsUser: 65532 # hardcoded, not configurable
containers:
- name: envoy
securityContext: {} # respects EnvoyProxy spec ✓
- name: shutdown-manager
securityContext: {} # respects EnvoyProxy spec ✓Repro steps:
- Deploy Envoy Gateway v1.7.1 on OpenShift (OKD 4.x)
- Deploy AI Gateway Controller v0.5.0 with the mutating webhook
- Create a Gateway referencing an EnvoyProxy with
securityContext: {}
- Create an AIGatewayRoute
- Observe pod creation failure:
pods "foryouassist-ai-gateway-xxx-" is forbidden: unable to validate against any security context constraint:
provider restricted-v2: .initContainers[0].runAsUser: Invalid value: 65532:
must be in the ranges: [1001540000, 1001549999]
Workaround: Create a custom SCC with runAsUser: type: RunAsAny bound to the Envoy service account. This requires cluster-admin privileges.
Expected behavior: The ai-gateway-extproc initContainer should either:
- Inherit the securityContext from the EnvoyProxy spec (like envoy and shutdown-manager)
- Not set runAsUser, letting the platform assign a UID from the namespace range
- Be configurable via the ai-gateway-helm chart values
Environment:
- Envoy Gateway: v1.7.1
- AI Gateway Controller: v0.5.0
- Platform: OpenShift OKD 4.x with default
restricted-v2 SCC
- Helm chart: ai-gateway-helm
Logs:
Warning FailedCreate replicaset/foryouassist-ai-gateway-xxx
Error creating: pods "foryouassist-ai-gateway-xxx-" is forbidden:
unable to validate against any security context constraint:
[provider restricted-v2: .initContainers[0].runAsUser: Invalid value: 65532:
must be in the ranges: [1001540000, 1001549999]]
Description:
The
ai-gateway-controllerv0.5.0 webhook injects an initContainerai-gateway-extprocwith a hardcodedrunAsUser: 65532when mutating Envoy Gateway pods. This prevents deployment on OpenShift clusters using the defaultrestrictedorrestricted-v2Security Context Constraint (SCC), which requires UIDs within a namespace-allocated range (e.g.,1001540000-1001549999).The main
envoyandshutdown-managercontainers correctly respect the EnvoyProxysecurityContext: {}spec (fixed in Envoy Gateway v1.3 via PR envoyproxy/gateway#4938). However, theai-gateway-extprocinitContainer ignores the EnvoyProxy configuration.Pod spec after webhook mutation:
Repro steps:
securityContext: {}Workaround: Create a custom SCC with
runAsUser: type: RunAsAnybound to the Envoy service account. This requires cluster-admin privileges.Expected behavior: The
ai-gateway-extprocinitContainer should either:Environment:
restricted-v2SCCLogs: