-
Notifications
You must be signed in to change notification settings - Fork 575
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SC settings for ApiServerSource's Receive Adapter's container/deployment #6788
Conversation
Codecov ReportPatch coverage:
Additional details and impacted files@@ Coverage Diff @@
## main #6788 +/- ##
=======================================
Coverage 80.44% 80.45%
=======================================
Files 236 236
Lines 12206 12212 +6
=======================================
+ Hits 9819 9825 +6
Misses 1896 1896
Partials 491 491
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
I tested this with 1.24 and also 1.26 -> works fine |
SecurityContext: &corev1.SecurityContext{ | ||
AllowPrivilegeEscalation: ptr.Bool(false), | ||
ReadOnlyRootFilesystem: ptr.Bool(true), | ||
RunAsNonRoot: ptr.Bool(true), | ||
Capabilities: &corev1.Capabilities{Drop: []corev1.Capability{"ALL"}}, | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missing SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, forgot to push that 🙃
For now we just set the SC and skip the SeccompProfile If we want we can update the PR |
We're setting |
Signed-off-by: Matthias Wessendorf <mwessend@redhat.com>
yeah, it is more consistent, I've update the deployment and its test |
@pierDipi please take a look |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: matzew, pierDipi The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/cherry-pick release-1.9 |
/cherry-pick release-1.8 |
@matzew: new pull request created: #6792 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@matzew: new pull request created: #6793 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
…ent (knative#6788) Fixes knative#6787 <!-- Please include the 'why' behind your changes if no issue exists --> ## Proposed Changes <!-- Please categorize your changes: - 🎁 Add new feature - 🐛 Fix bug - 🧹 Update or clean up current behavior - 🗑️ Remove feature or internal logic --> - similar to our static manifests we set the required SC bits (see: knative#6533), except SeccompProfile ### Pre-review Checklist <!-- If these boxes are not checked, you will be asked to complete these requirements or explain why they do not apply to your PR. --> - [ ] **At least 80% unit test coverage** - [ ] **E2E tests** for any new behavior - [ ] **Docs PR** for any user-facing impact - [ ] **Spec PR** for any new API feature - [ ] **Conformance test** for any change to the spec **Release Note** <!-- :page_facing_up: If this change has user-visible impact, write a release note in the block below. Include the string "action required" if additional action is required of users switching to the new release, for example in case of a breaking change. Write as if you are speaking to users, not other Knative contributors. If this change has no user-visible impact, no release note is needed. --> ```release-note SecurityContext settings for ApiServerSource's Receive Adapter's container/deployment ``` **Docs** <!-- :book: If this change has user-visible impact, link to an issue or PR in https://github.com/knative/docs. --> Signed-off-by: Matthias Wessendorf <mwessend@redhat.com>
Fixes #6787
Proposed Changes
Pre-review Checklist
Release Note
Docs