Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PodSecurity] Deduplicate errors between baseline & restricted checks #107698

Merged
merged 2 commits into from Feb 9, 2022
Merged

[PodSecurity] Deduplicate errors between baseline & restricted checks #107698

merged 2 commits into from Feb 9, 2022

Conversation

tallclair
Copy link
Member

What type of PR is this?

/kind feature

What this PR does / why we need it:

Allow restricted checks to override (supercede) baseline checks, and add overrides for:

  • restricted volume types overrides the baseline host path check
  • restricted capabilities override baseline capabilities
  • restricted seccomp overrides baseline seccomp

The corresponding baseline fixtures needed to be made slightly more generic to accept both the baseline & restricted versions of the error responses.

Several other cleanups or included as well:

  • Add CheckID type alias, to make mapped strings more self-documenting
  • Sort checks alphabetically by ID, with baseline checks coming first to ensure stable error messages

Which issue(s) this PR fixes:

Fixes #106129

Special notes for your reviewer:

This PR is offered as an alternative solution to the approach taken in #107117. This version is a larger change, but has stronger guarantees that the overridden checks are only skipped when the overriding check is present. This also allows for versioned overrides, in case a baseline check predates an overriding restricted check.

Does this PR introduce a user-facing change?

Yes, but not worthy of a release note.

NONE

/sig auth

@tallclair tallclair added this to In Review in SIG-Auth: PodSecurity via automation Jan 22, 2022
@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/feature Categorizes issue or PR as related to a new feature. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. sig/auth Categorizes an issue or PR as relevant to SIG Auth. do-not-merge/needs-kind Indicates a PR lacks a `kind/foo` label and requires one. and removed do-not-merge/needs-kind Indicates a PR lacks a `kind/foo` label and requires one. labels Jan 22, 2022
@k8s-ci-robot
Copy link
Contributor

@tallclair: This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jan 22, 2022
@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 22, 2022
@tallclair tallclair changed the title Psa overrides [PodSecurity] Deduplicate errors between baseline & restricted checks Jan 22, 2022
@tallclair tallclair mentioned this pull request Jan 22, 2022
Closed
@enj enj added this to Needs Triage in SIG Auth Old Jan 24, 2022
@tallclair
Copy link
Member Author

Fixed typos.

@liggitt
Copy link
Member

liggitt commented Jan 29, 2022

integration timeout flake tracked in #107857

@tallclair tallclair added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label Feb 9, 2022
@liggitt
Copy link
Member

liggitt commented Feb 9, 2022

/lgtm
/approve
/hold to squash in "address comments" commit

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 9, 2022
@liggitt liggitt moved this from In Review to Done (1.24) in SIG-Auth: PodSecurity Feb 9, 2022
@liggitt liggitt moved this from Needs Triage to Closed / Done in SIG Auth Old Feb 9, 2022
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 9, 2022
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, tallclair

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot
Copy link
Contributor

New changes are detected. LGTM label has been removed.

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 9, 2022
@tallclair tallclair removed the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label Feb 9, 2022
@tallclair
Copy link
Member Author

/hold cancel

I manually squashed, but I think the tide/merge-method-squash label also works for this.

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 9, 2022
@tallclair
Copy link
Member Author

reapplying LGTM for trivial rebase.

@tallclair tallclair added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 9, 2022
@k8s-triage-robot
Copy link

The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass.

This bot retests PRs for certain kubernetes repos according to the following rules:

  • The PR does have any do-not-merge/* labels
  • The PR does not have the needs-ok-to-test label
  • The PR is mergeable (does not have a needs-rebase label)
  • The PR is approved (has cncf-cla: yes, lgtm, approved labels)
  • The PR is failing tests required for merge

You can:

/retest

@k8s-ci-robot k8s-ci-robot merged commit 6ab748e into kubernetes:master Feb 9, 2022
@k8s-ci-robot k8s-ci-robot added this to the v1.24 milestone Feb 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liggitt liggitt liggitt left review comments

@krmayankk krmayankk Awaiting requested review from krmayankk

Assignees

@liggitt liggitt

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. release-note-none Denotes a PR that doesn't merit a release note. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
SIG Auth
Archived in project
SIG-Auth: PodSecurity
Done (1.24)
SIG Auth Old
Closed / Done
Milestone
v1.24
Development

Successfully merging this pull request may close these issues.

[PodSecurity] Dedupe overlapping forbidden messages
4 participants
@tallclair @k8s-ci-robot @liggitt @k8s-triage-robot