Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix seccomp localhost error handling #117020

Merged
merged 1 commit into from Apr 12, 2023

Conversation

cji
Copy link
Member

@cji cji commented Mar 30, 2023

What type of PR is this?

/kind bug

What this PR does / why we need it:

Returns an error when a Pod or Container's SecurityContext has a localhost seccomp type but an empty localhostProfile field.

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Yes, localhost seccomp configurations will no longer allow an empty localhostProfile field.

Added error handling for seccomp localhost configurations that do not properly set a localhostProfile

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

cc @tallclair @dchen1107 @SergeyKanzhelev @liggitt

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/bug Categorizes issue or PR as related to a bug. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Mar 30, 2023
@k8s-ci-robot
Copy link
Contributor

Please note that we're already in Test Freeze for the release-1.27 branch. This means every merged PR will be automatically fast-forwarded via the periodic ci-fast-forward job to the release branch of the upcoming v1.27.0 release.

Fast forwards are scheduled to happen every 6 hours, whereas the most recent run was: Thu Mar 30 16:31:51 UTC 2023.

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. area/kubelet labels Mar 30, 2023
@k8s-ci-robot k8s-ci-robot added do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. sig/node Categorizes an issue or PR as relevant to SIG Node. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Mar 30, 2023
@bart0sh bart0sh added this to Triage in SIG Node PR Triage Mar 31, 2023
@cji cji force-pushed the cji-seccomplocalhost branch 4 times, most recently from 1b952b7 to 003d420 Compare March 31, 2023 19:59
@k8s-ci-robot k8s-ci-robot added the kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API label Mar 31, 2023
@k8s-triage-robot
Copy link

This PR may require API review.

If so, when the changes are ready, complete the pre-review checklist and request an API review.

Status of requested reviews is tracked in the API Review project.

@cji
Copy link
Member Author

cji commented Apr 4, 2023

/retest

running in to flaky test from #107414 on the unit test and e2e looks like 65 tests timed out.

@liggitt
Copy link
Member

liggitt commented Apr 4, 2023

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 4, 2023
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 687d62318074ffcd7ac2648a5ec8d39e854b6781

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cji, liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 4, 2023
@bart0sh
Copy link
Contributor

bart0sh commented Apr 4, 2023

/triage accepted
/priority important-soon

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Apr 4, 2023
@bart0sh bart0sh moved this from Triage to Needs Approver in SIG Node PR Triage Apr 4, 2023
@cji
Copy link
Member Author

cji commented Apr 5, 2023

Made the cherry-pick PRs for 1.24, 1.25, and 1.26 to try and get CI green. I see tide is waiting on a milestone label for this PR (and code thaw I believe) but please let me know if there's anything else I can to do get this ready. thanks!

@liggitt liggitt added this to the v1.28 milestone Apr 6, 2023
@liggitt
Copy link
Member

liggitt commented Apr 6, 2023

go ahead and open a pick to release-1.27 as well, and we'll try to get it in for 1.27.1

@k8s-ci-robot k8s-ci-robot merged commit e7426a0 into kubernetes:master Apr 12, 2023
12 checks passed
SIG Node PR Triage automation moved this from Needs Approver to Done Apr 12, 2023
k8s-ci-robot added a commit that referenced this pull request Apr 17, 2023
…upstream-release-1.27

[1.27] Automated cherry pick of #117020: Return error for localhost seccomp type with no localhost
k8s-ci-robot added a commit that referenced this pull request Apr 17, 2023
…upstream-release-1.25

[1.25] Automated cherry pick of #117020: Return error for localhost seccomp type with no localhost
k8s-ci-robot added a commit that referenced this pull request Apr 17, 2023
…upstream-release-1.24

[1.24] Automated cherry pick of #117020: Return error for localhost seccomp type with no localhost
k8s-ci-robot added a commit that referenced this pull request Apr 17, 2023
…upstream-release-1.26

[1.26] Automated cherry pick of #117020: Return error for localhost seccomp type with no localhost
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/code-generation area/kubelet cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/node Categorizes an issue or PR as relevant to SIG Node. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
Development

Successfully merging this pull request may close these issues.

None yet

8 participants