Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: Restricted profile comply with PSS #117543

Merged
merged 5 commits into from
May 24, 2023
Merged

Fix: Restricted profile comply with PSS #117543

merged 5 commits into from
May 24, 2023

Conversation

mochizuki875
Copy link
Member

What type of PR is this?

/kind bug

What this PR does / why we need it:

debug profile was added in v1.27( #114280 ), but restricted profile dose not work because it is not fully complaint with Pod Security Standard Restricted.
It seems to be a bug, so I fixed it.

Which issue(s) this PR fixes:

Fixes #117405

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Fix restricted debug profile.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/bug Categorizes issue or PR as related to a bug. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Apr 24, 2023
@k8s-ci-robot
Copy link
Contributor

Hi @mochizuki875. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-priority Indicates a PR lacks a `priority/foo` label and requires one. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Apr 24, 2023
@k8s-ci-robot k8s-ci-robot added area/kubectl sig/cli Categorizes an issue or PR as relevant to SIG CLI. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Apr 24, 2023
@mochizuki875
Copy link
Member Author

/sig cli
/area kubectl

@mochizuki875
Copy link
Member Author

/cc @sftim

@k8s-ci-robot k8s-ci-robot requested a review from sftim April 24, 2023 04:41
@mochizuki875
Copy link
Member Author

@sftim
As I mentioned here, I fixed it.
Would you please check it?

@mochizuki875
Copy link
Member Author

@sftim
PTAL?

@ardaguclu
Copy link
Member

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels May 10, 2023
ardaguclu
ardaguclu reviewed May 10, 2023
View reviewed changes
Copy link
Member

@ardaguclu ardaguclu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree that we need to provide a way to the users to configure security context according to their environments. But instead adding static security context configuration in current profiles, I'd prefer having a custom profile option and security context can be defined in there which requires a KEP to move forward.

staging/src/k8s.io/kubectl/pkg/cmd/debug/profiles.go Show resolved Hide resolved
@mochizuki875
Copy link
Member Author

@ardaguclu

Thank you for your feedback!:)

But instead adding static security context configuration in current profiles, I'd prefer having a custom profile option and security context can be defined in there which requires a KEP to move forward.

I also think there should be some way to configure securityContext of EphemeralContainer with arbitrary content.
However, this PR is a bug fix for an existing feature(debugging profile already released in v1.27 #114280), and there is PR similar to what you're talking about(#113009).

So shouldn't this discussion be held separately from this PR?
And shouldn't we focus on fixing a bug of an existing feature in this PR?

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. area/test sig/testing Categorizes an issue or PR as relevant to SIG Testing. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels May 15, 2023
@ardaguclu
Copy link
Member

/triage accepted
/priority backlog

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. priority/backlog Higher priority than priority/awaiting-more-evidence. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels May 16, 2023
@mochizuki875
Copy link
Member Author

integration test failure is directly related to the changes in this PR. Could you please check the failure reason if the job fails before calling retesting?

@ardaguclu
Opps! Sorry I'll check it.

@ardaguclu
Copy link
Member

/label tide/merge-method-squash

@k8s-ci-robot k8s-ci-robot added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label May 17, 2023
@ardaguclu
Copy link
Member

Aside from the only comment, code generally looks good to me.
I'd ask another set of eye from @verb to assure that I'm not missing something.

@mochizuki875
Copy link
Member Author

@ardaguclu
I'm very grateful for your many help!
Thank you!

/cc @verb
Could you check it?

@k8s-ci-robot k8s-ci-robot requested a review from verb May 17, 2023 13:35
@mochizuki875
Copy link
Member Author

/retest

@ardaguclu
Copy link
Member

Thanks!

/approve
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 24, 2023
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: e46bb228cb1c2c73276cbb86b69f907811617ed7

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ardaguclu, mochizuki875

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 24, 2023
@k8s-ci-robot k8s-ci-robot merged commit 0813904 into kubernetes:master May 24, 2023
13 checks passed
@k8s-ci-robot k8s-ci-robot added this to the v1.28 milestone May 24, 2023
@mochizuki875 mochizuki875 mentioned this pull request Jun 14, 2023
Open
@bertinatto bertinatto mentioned this pull request Jun 20, 2023
Closed
@mochizuki875 mochizuki875 mentioned this pull request Jun 22, 2023
Closed
@mochizuki875 mochizuki875 mentioned this pull request Jul 10, 2023
Closed
@mochizuki875 mochizuki875 mentioned this pull request Nov 24, 2023
Closed
9 tasks
rayowang pushed a commit to rayowang/kubernetes that referenced this pull request Feb 9, 2024
@mochizuki875
Fix: Restricted profile comply with PSS (kubernetes#117543)
9655b80 
* restricted profile comply with PSA v1.27

* add test case

* Reflect review comments

* Reflect review comments 2

* Reflect review comments 3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ardaguclu ardaguclu ardaguclu left review comments

@brianpursley brianpursley Awaiting requested review from brianpursley

@sftim sftim Awaiting requested review from sftim

@verb verb Awaiting requested review from verb

Assignees

@ardaguclu ardaguclu

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubectl area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. priority/backlog Higher priority than priority/awaiting-more-evidence. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/cli Categorizes an issue or PR as relevant to SIG CLI. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
v1.28
Development

Successfully merging this pull request may close these issues.

Debugging Profile dosen't work well with PSA
3 participants
@mochizuki875 @k8s-ci-robot @ardaguclu