fix: conform dialer and volume-uploader pods to restricted pod security profile#3614
Conversation
knative-prow
bot
added
kind/bug
|
Hi @Ankitsinghsisodya. Thanks for your PR. I'm waiting for a knative member to verify that this patch is reasonable to test. If it is, they should reply with Tip We noticed you've done this a few times! Consider joining the org to skip this step and gain Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Ankitsinghsisodya The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Pull request overview
This PR updates the Kubernetes security context helpers used by the in-cluster dialer and volume-uploader pods so they consistently meet the Kubernetes Pod Security Admission (PSA) restricted profile requirements, including on OpenShift.
Changes:
- Make
defaultPodSecurityContextalways setrunAsNonRoot=trueandseccompProfile=RuntimeDefault, returning a minimal non-nil context on OpenShift. - Simplify
defaultSecurityContextby always settingseccompProfile=RuntimeDefaultand removing the now-unused live server-version/client dependency. - Add unit tests for OpenShift vs non-OpenShift behavior and a compliance test targeting restricted-profile-required fields.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| pkg/k8s/security_context.go | Adjust pod/container security context defaults to satisfy restricted PSA and remove server-version gating. |
| pkg/k8s/security_context_test.go | Add unit tests for OpenShift/non-OpenShift and restricted-profile compliance assertions. |
| pkg/k8s/persistent_volumes.go | Update volume-uploader pod to call the new defaultSecurityContext() signature. |
| pkg/k8s/dialer.go | Update dialer pod to call the new defaultSecurityContext() signature. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…ty profile The in-cluster dialer and volume-uploader pods lacked the security context fields required by the Kubernetes "restricted" pod security profile, causing pod admission failures (or warnings) on namespaces that enforce pod-security.kubernetes.io/enforce: restricted. Changes: - defaultPodSecurityContext now sets RunAsNonRoot and SeccompProfile (RuntimeDefault) at pod level unconditionally, covering both OpenShift and vanilla Kubernetes clusters. - On OpenShift the function previously returned nil, leaving the pod without any security context. It now returns a minimal context that omits RunAsUser/RunAsGroup/FSGroup (which OpenShift SCCs manage) and sets only the fields required by the restricted PSA profile. - defaultSecurityContext no longer gates SeccompProfile on a live server- version check; RuntimeDefault has been GA since k8s 1.25 and the project tracks k8s client-go v0.35 (k8s 1.35). The now-unnecessary client parameter is removed. - Privileged: false is set explicitly for defence-in-depth. - SeccompProfile is set at both pod and container level intentionally; the pod-level covers all containers by default, the container-level ensures compliance even if the pod-level context is overridden downstream. - RunAsGroup: 0 is retained on non-OpenShift to preserve Tekton buildpack task compatibility; this does not violate the restricted profile. - Unit tests are added for both OpenShift and non-OpenShift paths including a compliance test that asserts all four restricted-profile requirements. End-to-end admission validation is covered by make test-full. Fixes knative#3517
Ankitsinghsisodya
force-pushed
the
issue-3517-restricted-pod-security
branch
from
aedd85e to
4c2879a
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #3614 +/- ##
==========================================
+ Coverage 56.26% 56.37% +0.11%
==========================================
Files 180 180
Lines 20522 20556 +34
==========================================
+ Hits 11546 11588 +42
+ Misses 7774 7768 -6
+ Partials 1202 1200 -2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Changes
defaultPodSecurityContextnow setsRunAsNonRoot: trueandSeccompProfile: RuntimeDefaultunconditionally at pod level, so pods satisfy therestrictedPSA profile on any clusternil, leaving the pod with no security context at all; it now returns a minimal context withoutRunAsUser/RunAsGroup/FSGroup(which OpenShift SCCs manage) so PSA admission passesdefaultSecurityContextrestoresPrivileged: falseexplicitly for defence-in-depth, removes the version-gated seccomp check (RuntimeDefaultis GA since k8s 1.25; this project tracks k8s 1.35), and drops the now-unusedclientparameterSeccompProfileis set at both pod and container level intentionally — pod-level covers all containers by default; container-level ensures compliance even if the pod-level context is overridden downstreamRunAsGroup: 0is retained on non-OpenShift to preserve Tekton buildpack task compatibility; this does not violate the restricted profile (which checks UID, not GID)make test-full/kind bug
Fixes #3517
Release Note
```release-note
Pods created by func during deployment (in-cluster dialer, volume uploader) now
conform to the Kubernetes "restricted" pod security profile. Deployments no
longer fail or produce warnings on clusters or namespaces that enforce
pod-security.kubernetes.io/enforce: restricted.
```
Docs
```docs
```