Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auth: remove SecurityContextDeny admission plugin #122612

Merged
merged 1 commit into from Feb 12, 2024
Merged

auth: remove SecurityContextDeny admission plugin #122612

merged 1 commit into from Feb 12, 2024

Conversation

mtardy
Copy link
Member

@mtardy mtardy commented Jan 5, 2024
edited

What type of PR is this?

/kind deprecation

What this PR does / why we need it:

This PR removes the code associated with the SecurityContextDeny admission plugin. More info on why in the associated issue.

Which issue(s) this PR fixes:

Part of #111516

Special notes for your reviewer:

Changes need to be made against https://github.com/kubernetes/test-infra configs before this PR will pass the tests. It was merged a few months ago:

Does this PR introduce a user-facing change?

Removed the `SecurityContextDeny` admission plugin, deprecated since v1.27. The [Pod Security Admission](https://k8s.io/docs/concepts/security/pod-security-admission/) plugin, available since v1.25, is recommended instead.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

- [KEP]: https://kep.k8s.io/3785
- [Other doc]: https://github.com/kubernetes/kubernetes/issues/111516

@k8s-ci-robot
Copy link
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. kind/deprecation Categorizes issue or PR as related to a feature/enhancement marked for deprecation. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. area/apiserver area/test sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/testing Categorizes an issue or PR as relevant to SIG Testing. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jan 5, 2024
@mtardy
Copy link
Member Author

mtardy commented Jan 5, 2024

/sig security
/sig auth

@k8s-ci-robot k8s-ci-robot added sig/security Categorizes an issue or PR as relevant to SIG Security. sig/auth Categorizes an issue or PR as relevant to SIG Auth. labels Jan 5, 2024
@mtardy mtardy marked this pull request as ready for review January 5, 2024 15:27
@mtardy
Copy link
Member Author

mtardy commented Jan 5, 2024

/test all

@mtardy mtardy changed the title [WIP] api: remove SecurityContextDeny admission plugin [WIP] auth: remove SecurityContextDeny admission plugin Jan 8, 2024
@mtardy
Copy link
Member Author

mtardy commented Jan 8, 2024

/retest

@pohly
Copy link
Contributor

pohly commented Jan 10, 2024

pull-kubernetes-local-e2e is not passing at the moment, you can ignore that failure if you have checked locally that your proposed change works.

@mtardy
Copy link
Member Author

mtardy commented Jan 10, 2024

pull-kubernetes-local-e2e is not passing at the moment, you can ignore that failure if you have checked locally that your proposed change works.

Oh okay, but do you know how I could fix this? I have not run the e2e tests locally.

@pohly
Copy link
Contributor

pohly commented Jan 11, 2024

So you haven't tried your changes to hack/local-up-cluster.sh at all? How did you know that you need to modify it?

@sftim

This comment was marked as resolved.

Sign in to view
@sftim
Copy link
Contributor

sftim commented Jan 12, 2024

BTW, to link to the KEP you can use https://kep.k8s.io/3785

sftim
sftim reviewed Jan 12, 2024
View reviewed changes
Copy link
Contributor

@sftim sftim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dims
Copy link
Member

dims commented Jan 12, 2024

/assign @liggitt
/lgtm

(local-up-cluster definitely looks good)

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 12, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 367da84eac9eed4650a9a6eaed97869233022d24

cailynse
cailynse reviewed Jan 12, 2024
View reviewed changes
Copy link

@cailynse cailynse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

🧼🧽🫧

@cici37
Copy link
Contributor

cici37 commented Jan 16, 2024

/remove-sig api-machinery

@k8s-ci-robot k8s-ci-robot removed the sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. label Jan 16, 2024
@sftim
Copy link
Contributor

sftim commented Jan 25, 2024

/retest

@k8s-ci-robot
Copy link
Contributor

@mtardy: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-kubernetes-local-e2e 73bec0f link false /test pull-kubernetes-local-e2e

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@stlaz
Copy link
Member

stlaz commented Jan 29, 2024

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jan 29, 2024
@pacoxu
Copy link
Member

pacoxu commented Feb 1, 2024

/milestone v1.30
/priority important-soon

@k8s-ci-robot k8s-ci-robot added this to the v1.30 milestone Feb 1, 2024
@k8s-ci-robot k8s-ci-robot added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. and removed needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Feb 1, 2024
@liggitt
Copy link
Member

liggitt commented Feb 12, 2024

/lgtm
/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, mtardy

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 12, 2024
@k8s-ci-robot k8s-ci-robot merged commit 7bea140 into kubernetes:master Feb 12, 2024
16 of 17 checks passed
@mtardy mtardy deleted the remove-scdeny branch February 12, 2024 18:18
@sftim
Copy link
Contributor

sftim commented Apr 1, 2024

Changelog suggestion:

-Removed the `SecurityContextDeny` admission plugin, deprecated since v1.27. The Pod Security Admission plugin, available since v1.25, is recommended instead. See https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#securitycontextdeny for more information.
+Removed the `SecurityContextDeny` admission plugin, deprecated since v1.27.
+The [Pod Security Admission](https://k8s.io/docs/concepts/security/pod-security-admission/) plugin,
+available since v1.25, is recommended instead.

We can't link to the (removed) docs for a removed admission controller.

@sftim sftim mentioned this pull request Apr 1, 2024
Merged
8 tasks
@mtardy
Copy link
Member Author

mtardy commented Apr 14, 2024

Changelog suggestion:

-Removed the `SecurityContextDeny` admission plugin, deprecated since v1.27. The Pod Security Admission plugin, available since v1.25, is recommended instead. See https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#securitycontextdeny for more information.
+Removed the `SecurityContextDeny` admission plugin, deprecated since v1.27.
+The [Pod Security Admission](https://k8s.io/docs/concepts/security/pod-security-admission/) plugin,
+available since v1.25, is recommended instead.

We can't link to the (removed) docs for a removed admission controller.

Thanks, I updated that!

@rashansmith rashansmith mentioned this pull request Apr 15, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pohly pohly pohly left review comments

@cailynse cailynse cailynse left review comments

@sftim sftim sftim left review comments

@dchen1107 dchen1107 Awaiting requested review from dchen1107

@logicalhan logicalhan Awaiting requested review from logicalhan

@derekwaynecarr derekwaynecarr Awaiting requested review from derekwaynecarr

@johnSchnake johnSchnake Awaiting requested review from johnSchnake

Assignees

@dims dims

@liggitt liggitt

@cailynse cailynse

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/deprecation Categorizes issue or PR as related to a feature/enhancement marked for deprecation. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/security Categorizes an issue or PR as relevant to SIG Security. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Auth
Archived in project
[sig-release] Bug Triage
Archived in project
Milestone
v1.30
Development

Successfully merging this pull request may close these issues.

None yet