Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pod security context2 #5794

Merged
merged 5 commits into from
Feb 11, 2021
Merged

Pod security context2 #5794

merged 5 commits into from
Feb 11, 2021

Conversation

marcosdiez
Copy link
Contributor

@marcosdiez marcosdiez commented Feb 8, 2021
edited
Loading

It turns out both pods and containers can have their own security context.
To make things worse, although the container one has priority, they only share a few of the properties.

I actually spent some time thinking about how to make the UI less confusing, despite the reality.

This is what I came up with:

image

On the code level, I did something that is either very smart or very dumb depending on the point of view:

The backend just exposes the info. So nothing special here.

On the frontend, we now have 3 similar objects:

  • PodSecurityContext (for pods)
  • ContainerSecurityContext (for containers)
  • PodContainerMergedSecurityContext (artificial structure which is a merge of the two above, with all fields optional, so we can use the same UI to widget both, since they are very similar)

So although the Pod does expose PodSecurityContext and the container does expose ContainerSecurityContext, the security context list interprete it as PodContainerMergedSecurityContext and plots its accordinly.

As always, @floreks , please be the judge.

By the way I never explicitly had the chance to thank you for thoughtfully reviewing every single PR of mine and even going to the extra work of rewriting them when needed. Thank you. Really!

Here is a minimalist example of a yaml to test this:

kind: Pod
apiVersion: v1
metadata:
  name: test-security-context2
  namespace: default
spec:
  containers:
    - name: test-security-context2
      image: alpine:latest
      command:
        - tail
        - '-f'
        - /dev/null
      securityContext:
        readOnlyRootFilesystem: true
  securityContext:
    runAsGroup: 1000
    runAsUser: 1000

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. language/de Updates or issues for German translations. labels Feb 8, 2021
@k8s-ci-robot k8s-ci-robot added language/fr Updates or issues for French translations. language/ja Updates or issues for Japanese translations. language/ko Updates or issues for Korean translations. language/zh Updates or issues for Chinese translations. labels Feb 8, 2021
@codecov
Copy link

codecov bot commented Feb 8, 2021
edited
Loading

Codecov Report

Merging #5794 (b190348) into master (aeba15d) will increase coverage by 0.01%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##           master    #5794      +/-   ##
==========================================
+ Coverage   43.80%   43.82%   +0.01%     
==========================================
  Files         215      215              
  Lines        9166     9167       +1     
  Branches      112      112              
==========================================
+ Hits         4015     4017       +2     
+ Misses       4885     4884       -1     
  Partials      266      266

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 11, 2021
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 11, 2021
@floreks
Copy link
Member

floreks commented Feb 11, 2021

Zrzut ekranu z 2021-02-11 12-29-45

Refactored code/ui a bit and moved pod security context to the resource information to be consistent.

@floreks
Copy link
Member

floreks commented Feb 11, 2021

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 11, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: floreks, marcosdiez

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 11, 2021
@k8s-ci-robot k8s-ci-robot merged commit 8fed16a into kubernetes:master Feb 11, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chenrui333 chenrui333 Awaiting requested review from chenrui333

@helight helight Awaiting requested review from helight

Assignees

@floreks floreks

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. language/de Updates or issues for German translations. language/fr Updates or issues for French translations. language/ja Updates or issues for Japanese translations. language/ko Updates or issues for Korean translations. language/zh Updates or issues for Chinese translations. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@marcosdiez @floreks @k8s-ci-robot