New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[podsecurity] Dedupe overlapping forbidden messages #107117
[podsecurity] Dedupe overlapping forbidden messages #107117
Conversation
@calvin0327: This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: calvin0327 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
I have thought for a long time and added varible |
@liggitt Please correct me if I'm wrong. |
/ok-to-test |
/retest |
@calvin0327: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
@@ -69,6 +70,9 @@ func (r *checkRegistry) EvaluatePod(lv api.LevelVersion, podMetadata *metav1.Obj | |||
results = append(results, check(podMetadata, podSpec)) | |||
} | |||
if lv.Level == api.LevelBaseline { | |||
for _, check := range r.overlappingBaselineChecks[lv.Version] { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
marking checks as overlapping and skipping them without positive verification that the specific check they overlap with is also getting run makes me slightly nervous
the integration test failures are related, and make it seem like some expected checks aren't getting run
@calvin0327 thank you for looking into this. After giving it some more thought, I'd like to propose an alternative approach, which is implemented in #107698. That proposes a larger change, but has stronger guarantees that the overridden checks are only skipped when the overriding check is present. It also allows for versioned overrides, in case a baseline check predates an overriding restricted check. |
@tallclair👌,I think this implementation #107698 is great. |
What type of PR is this?
/kind feature
What this PR does / why we need it:
Dedupe overlapping forbidden messages.
Which issue(s) this PR fixes:
Fixes #106129
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: