[BUG] violates PodSecurity "baseline:latest" #759
Assignees
Labels
Milestone
Comments
unmarshall
added a commit
that referenced
this issue
Jun 24, 2024
* Introduced internal packaged, added resource which now replaces Component * Adapt custodian controller to a recovery-controller * Add missing JSON tags to fields in types_etcd.go * Fixed error by Updating Method Name to GetConfigMapName * added missing annotation constants * Refactor resource pkg to resolve Cyclic Imports Introduced a new `registry` package containing `OperatorRegistry`. Additionally, created a subpackage `registry/resource` contains OperatorContext and Operator interface to address cyclic import issues * Fixed lint error * renamed resource package to operator * fixed import error * Add `DataVolumesReady` condition, update imports for internal/health packages * Refactor memberlease Sync() to use OperatorTask for concurrency - Replaced flow package with OperatorTask in Sync method. - Enhanced error handling using multierror for aggregating multiple task errors. * Refactor: Remove unused etcd field from _resource struct in serviceaccount * Fix: Correct client URL port assignment in createEtcdConfig * Initial support for statefulset * Refactor to support statefulset * Run etcd-druid locally with new controllers * added godocs * refactored operator registry and adopted the changes in etcd reconciler * removed methods from registry * cleaned up unused types * Include 'internal' directory in Docker build context * Refactor statefulSet operator * WIP commit - refactored sts resource operator * Fix incorrect scheme used in ListenClientUrls for etcd config * Update MemberLease labels to include etcd name-specific labels * added godoc for errors.go * added missing exported field godoc * WIP commit - refactored sts resource operator * Removed unused function * Add unit test for peerservice * Add unit test for clientservice * Add StatefulSet nil check in dataVolumesReady condition * Implement RetryOnConflict in etcd Status Updates for LastOperation * WIP: Refactor Reconcile function * WIP: Refactor custodian controller * misc fixes * Optimize StatefulSet retrieval in GetStatefulSet instead of using list * misc fixes * Remove custodian controller; status updates now handled by etcd controller itself * Replaced update operations with patch for enhanced efficiency and reduced conflicts * Added etcdReconcilePredicate for enhanced event filtering in etcd controller registration. * added code to set ObservedGeneration and refactored predicates for etcd reconciler * added sample package, refactored test for client-svc operator, introduced fakeclientbuilder * removed logger from New functions * Added the ObservedGeneration check to E2E test * Add delete error handling in FakeClientBuilder * Refactor clientservice tests * Extend EtcdBuilder with new configuration methods * EtcdBuilder moved to test/sample from test/utils * Removed unused file * minor improvement in test utility fn and removal of dead code * adapted sample package * Reorder imports * Fix lint errors * changed the error code constants, added sample for role * Removed duplicate import * Enhance peer service operatior with error handling and logging, and update tests * Standardize naming conventions for error codes in peer service. * Rebased with PR#737 * added unit test for role operator and added functions to fake client * added rolebinding tests * add sample for rolebinding and memberlease, added tests for rolebinding and some tests for member lease * corrected tests, get also now returns druiderr * fixed peer service tests * fixed tests, added error handling to member lease * added member lease test and minor corrections to clientservice test * added service account test * added pdb operator unit test * added test for snapshot lease and fixed an issue in member lease * Fix assertion in all operator tests to correctly compare names * introduced utility for custom gomega matcher and adapted client and peer service tests * removed role and rolebinding sample and adjusted unit tests * removed sample pdb and adjusted tests * removed sample sa and adjusted tests * removed sample for leases and adapted tests * moved etcd builder back to test utils and adapted tests * harmonized labels on resources managed by druid * moved the component names to constants and adpated code * Add resource-protection webhook, aka "sentinel" webhook * added golang unit tests for utils and other misc changes * fixed unit test for utils sts * misc refactoring * fixed make check errors * added 2 revised IT tests, misc refactorings all over the place * removed fakeclient and introduced test client, adapted unit tests, wrote it tests for delete etcd flow * Changes to sentinel webhook * Add etcd helper functions, along with unit tests * Add exemptServiceAccounts config for sentinel webhook * Clean up api/v1alpha1 unit tests * added IT tests for etcd reconciler * changed the test name and description * Changes to api/v1alpha1 helper functions * Sentinel to freely allow updates on lease resources * changed register for etcd controller and adapted unit tests * moved to golang version 1.22 * renamed LastError.LastUpdateTime to ObservedAt, introduced constants when building sts * Fix and run `make generate` * Pull changes from ce2f556 * Pull changes from 5cd5b1b * Pull changes from 9c5f825 * removed controller and pkg folders, adapted packages * Run `make revendor` * fixed etcdcopybackupstasktest and minor refactoring * Run `make fmt` * Fix `make check`; fix and run `make generate` * Add unit tests for DataVolumesReady condition checker * fixed unit tests, introduced constants and adapted Makefile * small fix in handlePeerTLSChanges and added etcd IT tests to Makefile * Fix statefulset etcd.conf.yaml volumemount name * Fix DataVolumesReady condition sts nil check * Improve sentinel webhook resource decoder logic * Add unit tests for FetchPVCWarningMessagesForStatefulSet util func * Fix unit test for FetchPVCWarningMessagesForStatefulSet util func * Fix errors from `make check` * Add unit tests for sentinel webhook * Fix unit test for statefulset matcher * Clean up unit tests for sentinel webhook * minor change for handling create/connect operation * Streamline sentinel webhook unit tests * Set mounted files DefaultMode to 640 (changes incorporated from #772 by @AleksandarSavchev) * Fix integration tests * refactored sentinel webhook unit test * removed an unnecessary unit test * Fix volume mount paths, and other minor fixes * fixed unit test for init container mount * Run `make revendor` * Sentinel webhook uses mounted serviceaccount token for `ReconcilerServiceAccount` by default * Resolve few TODOs, fix errors from `make check` * upgraded golang version to 1.22.1 * Streamline the running of tests * Fix e2e tests * Move common constants /internal/common/constants.go * moved back to go 1.21 and fixed unit test for etcdcopybackup controller * changed version of go to 1.21.4 in dockerfile and pipeline_definition * rebased with upstream master, resolved compilation issues, fixed make check and make test * make tidy which removed gomock * Run `make generate`, set ctrl logger in `it` test suite * Add tool github.com/rakyll/gotest to colorize go test output for better readability * Fix webhook config in manager; Add generic-garbage-collector to sentinel webhook exempt SAs * Don't swallow infra job apt command output * Fix e2e tests * fixed golangci lint errors, now use gotestfmt, refactored etcd it tests * corrected test-integration target dependencies * removed reference to gotest from test-go.sh * changed the version of kustomize to 5.3.0 * Export kind cluster logs to prow job artifacts for enhanced debugging * debug * corrected the kustomize version * Ignore not found debug pods in e2e tests during cleanup * Update etcd-custom-image to v3.4.26-7 * Add documentation for updated controller design, sentinel webhook, CLI flags * fix for issue #759 * Address review comments by @renormalize; Make all CLI flags configurable in helm charts * Update docs, fix formatting in quorum loss recovery doc * addressed review comments * disable-resource-protection annotation will no longer have a value * Run `make generate` * Address review comments by @ashwani2k * Address review comments by @renormalize: use constant for volume mode 0640 * addressed review comment to remove explicit types from generic MergeMaps func * addressed review comments to streamline constants * Address review comments by @renormalize: stylistic changes to bring err population and check into same line * Rename all common constants to <general-intent><specific-usage> format * Address review comments by @renormalize: sentinel webhook disabled by default in helm charts, but enabled via skaffold * Address review comments by @renormalize: Don't specify explicit type arguments for generic functions * Address review comments by @ishan16696 * moved manager to its own package, addressed minor review comments * removed new label from match labels as that will cause failure to do rolling update. * Minor changes to component names * Address review comments by @anveshreddy18 * added support for ko, updated skaffold, added new makefile targets for skaffold dev, debug, changed handling of images.yaml * fixed unit test for sentil webhook * aligned messages in sentil to use Etcd instead of etcd * corrected the creation of image vector for IT tests * Fix integration tests, leaked envtest instances * Disable sentinel webhook when deploying druid via skaffold; to be enabled only via env var DRUID_ENABLE_SENTINEL_WEBHOOK=true * Minor cosmetic corrections * Address review comments by @anveshreddy18 * Address review comments by @seshachalam-yv; restructured Makefile * Address review comments by @seshachalam-yv; Sentinel webhook now also handles sts/scale subresource * Enable sentinel webhook for CI e2e tests, run via `make ci-e2e-kind` * Address review comments by @seshachalam-yv; update documentation for new changes * Helm will create validating webhook config resource only if atleast one webhook is enabled * Address review comments by @ishan16696: update docstrings, flag descriptions * Address review comments by @seshachalam-yv; sentinel webhook allows lease updates only from etcd members * Address review comments by @anveshreddy18: add package-level comment for internal/controller/predicate * Fix and enhance sentinel webhook unit tests * package renaming, healthz and readyz endpoint addition, partialObjMetadata usage and other smaller changes * removed unused method from api * Address review comments by @seshachalam-yv; restructure sentinel webhook handler, allow resource deletion by druid and exempt SAs during etcd deletion * Address review comments by @ashwani2k and @renormalize: abstract out individual controllers and webhooks from manager code * component.Operator changed to use metav1.ObjectMeta, removed ginkgo from api package, introduced helper functions in api, renamed files in api package * Makefile debug auto-reload is changed to manual Co-authored-by: Saketh Kalaga <51327242+renormalize@users.noreply.github.com> * corrected makefile deploy-dev target and added doc string to explain readiness check for informers * resolved merge conflicts and adapted to use helper functions * removed empty methods * fixed unit test * re-generated zz_generated.deepcopy.go * fixed compilation issues in it tests, adapted recent changes to helper functions * Address review comments by @ashwani2k: move provider-specific code to dedicated package internal/store * Update gardener/gardener to v1.86.4 * Add missing finalizer to Etcd resource, fix it tests, fix generated CRDs * Address review comments by @ashwani2k and @ishan16696 * addressed @ashwani2k comment, removed predicate package and moved the predicates to compaction controller package, removed ginkgo * Add missing license headers * Move g/g hack script generate-crds.sh to druid * added a comment explaining the order of lastOp update and op annotation removal * changed the comment * added unit test for concurrent.go utility * Remove 10- prefix from CRD names * Add missing vgopath setup to generate-crds script * Address review comments by @aaronfern, add missing license headers * Address review comment by @ishan16696 * Address review comment by @aaronfern * Introduce `PreSync` for components to fix upgrade of etcds that were created by an older druid verison * Add tests for internal/errors package, add license headers * fixed IT tests after introduction of presync * addressed review comments from @ishan16696 * removed unused code in it tests * added log for failed status updates * addressed review comment from @ishan16696 regarding doc string for register.go * changed client.List to client.Get in GetStatefulSet * refactored sentinel webhook, includes protection for PVC deletion and uses PartialObjectMetadata * fixed sentinel webhook issues * refactored decoder utility for webhook and added a utility method to druiderr * renamed sentinel webhook to etcdcompents and adapted cli, env vars and annotation names.removed jobs from webhook allowing compaction to delete them * Add log line for statefulset component PreSync * Statefulset PreSync now checks sts status instead of pod metadata, to determine pod updation * Fix it tests by simulating sts status changes upon spec changes * Fix e2e tests * Map `stackit` infra provider to S3 * Fix status member checks * addressed review comments, added logchecker to golangci * Minor fixes * Remove scale subresource label selector; fix compaction e2e test --------- Co-authored-by: Shreyas Rao <shreyas.sriganesh.rao@sap.com> Co-authored-by: Seshachalam Yerasala Venkata <seshachalam.yerasala.venkata@sap.com> Co-authored-by: Saketh Kalaga <51327242+renormalize@users.noreply.github.com> Co-authored-by: Marcel Boehm <marcel.boehm@inovex.de>
gardener-robot
added
the
status/closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug:
Currently etcd clusters can't be created in unprivileged namespace, because of hardcoded
SYS_PTRACEcapabilityExpected behavior:
etcd-druid support to run without privileges
How To Reproduce (as minimally and precisely as possible):
Logs:
Screenshots (if applicable):
Environment (please complete the following information):
Anything else we need to know?:
The text was updated successfully, but these errors were encountered: