envoyproxy · zhaohuabing · Jun 6, 2025 · May 23, 2025 · May 28, 2025 · May 28, 2025
@@ -0,0 +1,44 @@
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: EnvoyProxy
+metadata:
+  name: custom-container-security-contex-userid-envoyproxy
+  namespace: gateway-conformance-infra
+spec:
+  provider:
+    type: Kubernetes
+    kubernetes:
+      envoyDeployment:
+        container:
+          securityContext:
+            runAsUser: 65534
+            runAsGroup: 65534
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: custom-container-security-contex-userid-gateway
+  namespace: gateway-conformance-infra
+spec:
+  gatewayClassName: "{GATEWAY_CLASS_NAME}"
+  listeners:
+    - name: http
+      port: 80
+      protocol: HTTP
+  infrastructure:
+    parametersRef:
+      group: gateway.envoyproxy.io
+      kind: EnvoyProxy
+      name: custom-container-security-contex-userid-envoyproxy
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: custom-container-security-contex-userid-route
+  namespace: gateway-conformance-infra
+spec:
+  parentRefs:
+  - name: custom-container-security-contex-userid-gateway
+  rules:
+  - backendRefs:
+    - name: infra-backend-v1
+      port: 8080
@@ -0,0 +1,49 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+//go:build e2e
+
+package tests
+
+import (
+	"testing"
+
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/gateway-api/conformance/utils/http"
+	"sigs.k8s.io/gateway-api/conformance/utils/kubernetes"
+	"sigs.k8s.io/gateway-api/conformance/utils/suite"
+)
+
+func init() {
+	ConformanceTests = append(ConformanceTests, EnvoyGatewayCustomSecurityContextUseridTest)
+}
+
+var EnvoyGatewayCustomSecurityContextUseridTest = suite.ConformanceTest{
+	ShortName:   "EnvoyGatewayCustomSecurityContextUserid",
+	Description: "Envoy proxy container with custom security context user id",
+	Manifests: []string{
+		"testdata/custom-container-security-contex-userid.yaml",
+	},
+	Test: func(t *testing.T, suite *suite.ConformanceTestSuite) {
+		t.Run("route with custom security context user id", func(t *testing.T) {
+			ns := "gateway-conformance-infra"
+			routeNN := types.NamespacedName{Name: "custom-container-security-contex-userid-route", Namespace: ns}
+			gwNN := types.NamespacedName{Name: "custom-container-security-contex-userid-gateway", Namespace: ns}
+			gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN)
+
+			expectedResponse := http.ExpectedResponse{
+				Request: http.Request{
+					Path: "/",
+				},
+				Response: http.Response{
+					StatusCode: 200,
+				},
+				Namespace: ns,
+			}
+
+			http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr, expectedResponse)
+		})
+	},
+}
@@ -1,13 +1,13 @@
 FROM busybox@sha256:37f7b378a29ceb4c551b1b5582e27747b855bbfaa73fa11914fe0df028dc581f AS source
 # Create the data directory for eg
-RUN mkdir -p /var/lib/eg
+RUN mkdir -p /var/lib/eg && chmod -R 0777 /var/lib/eg
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
 FROM gcr.io/distroless/base-nossl:nonroot@sha256:ecbab76d6a504ddf7c58a9d786e70f1f1731fa546b1ac0b20dab35c6fc2f3138
 ARG TARGETPLATFORM
-COPY --chown=65532:65532 $TARGETPLATFORM/envoy-gateway /usr/local/bin/
-COPY --from=source --chown=65532:65532 /var/lib /var/lib
+COPY $TARGETPLATFORM/envoy-gateway /usr/local/bin/
+COPY --from=source /var/lib /var/lib
 
 USER 65532:65532