Skip to content
This repository has been archived by the owner on Oct 24, 2023. It is now read-only.

fix: don't wait for pod-security-policy spec if disabled #3673

Merged
merged 2 commits into from Aug 14, 2020
Merged

fix: don't wait for pod-security-policy spec if disabled #3673

merged 2 commits into from Aug 14, 2020

Conversation

jackfrancis
Copy link
Member

@jackfrancis jackfrancis commented Aug 6, 2020
edited

Reason for Change:

This PR ensures that we don't wait for a pod-security-policy yaml spec during cluster bootstrapping if the pod-security-policy addon has been explicitly disabled.

To be clear, explicitly disabling that addon will result in a non-working cluster, as privileged escalation capabilities won't be allowed, which various kube-system components require. But this PR will allow folks to deliver their own equivalent PodSecurityPolicy configs if they wish and still return from CSE.

Issue Fixed:

Fixes #3656

Requirements:

Notes:

@jackfrancis jackfrancis added this to Review in progress in backlog Aug 6, 2020
@jackfrancis jackfrancis force-pushed the fix-pod-security-policy-disabled branch from 2c3963a to b02d8c7 Compare August 13, 2020 22:05
@codecov
Copy link

codecov bot commented Aug 13, 2020
edited

Codecov Report

Merging #3673 into master will increase coverage by 0.00%.
The diff coverage is 100.00%.

Impacted file tree graph

@@           Coverage Diff           @@
##           master    #3673   +/-   ##
=======================================
  Coverage   73.15%   73.16%           
=======================================
  Files         147      147           
  Lines       25309    25312    +3     
=======================================
+ Hits        18516    18519    +3     
  Misses       5655     5655           
  Partials     1138     1138
Impacted Files Coverage Δ
pkg/engine/templates_generated.go 53.42% <ø> (ø)
pkg/engine/template_generator.go 82.12% <100.00%> (+0.07%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update fe19610...b02d8c7. Read the comment docs.

mboersma
mboersma approved these changes Aug 14, 2020
View reviewed changes
Copy link
Member

@mboersma mboersma left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@acs-bot acs-bot added the lgtm label Aug 14, 2020
@acs-bot
Copy link

acs-bot commented Aug 14, 2020

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jackfrancis, mboersma

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [jackfrancis,mboersma]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jackfrancis jackfrancis merged commit de3b547 into Azure:master Aug 14, 2020
backlog automation moved this from Review in progress to Done Aug 14, 2020
@jackfrancis jackfrancis deleted the fix-pod-security-policy-disabled branch August 14, 2020 18:24
@CecileRobertMichon CecileRobertMichon mentioned this pull request Aug 18, 2020
Closed
@fmotrifork fmotrifork mentioned this pull request Aug 28, 2020
Merged
penggu pushed a commit to penggu/aks-engine that referenced this pull request Oct 28, 2020
@jackfrancis @penggu
fix: don't wait for pod-security-policy spec if disabled (Azure#3673)
196a0bd
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@mboersma mboersma mboersma approved these changes

Assignees

@mboersma mboersma

Labels
approved lgtm size/L
Projects
No open projects
backlog
  
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Upgrade from 1.14.8 to 1.15.11 fails due to missing pod-security-policy.yaml file
3 participants
@jackfrancis @acs-bot @mboersma