Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PodSecurityPolicy RuntimeClass support #73795

Merged
merged 5 commits into from May 2, 2019

Conversation

@tallclair
Copy link
Member

commented Feb 6, 2019

What type of PR is this?
/kind feature

What this PR does / why we need it:

Sandboxed runtimes will offer a key security feature for pods, so it makes sense for those security constraints to be enforceable by PodSecurityPolicy. This PR adds support for restricting & defaulting the RuntimeClass used by pods.

Does this PR introduce a user-facing change?:

Add RuntimeClass restrictions & defaulting to PodSecurityPolicy.

/sig auth
/milestone v1.15

pkg/apis/policy/types.go Outdated Show resolved Hide resolved
pkg/apis/policy/types.go Outdated Show resolved Hide resolved
pkg/apis/policy/types.go Outdated Show resolved Hide resolved
pkg/apis/policy/types.go Outdated Show resolved Hide resolved
@yastij
Copy link
Member

left a comment

just some thoughts

pkg/apis/policy/types.go Outdated Show resolved Hide resolved
pkg/apis/policy/types.go Outdated Show resolved Hide resolved

@tallclair tallclair force-pushed the tallclair:runtimeclass-psp branch from 2efc02e to 769d493 Feb 13, 2019

@k8s-ci-robot k8s-ci-robot added the size/S label Feb 13, 2019

pkg/apis/policy/types.go Outdated Show resolved Hide resolved
pkg/apis/policy/types.go Outdated Show resolved Hide resolved
@soggiest

This comment has been minimized.

Copy link
Contributor

commented Mar 5, 2019

Hello!
1.14 code freeze is coming in about 3 days, will this be rebased and merged in the next week?

@tallclair

This comment has been minimized.

Copy link
Member Author

commented Mar 5, 2019

@soggiest Thanks for the ping. I'm prioritizing getting RuntimeClass to beta (#74433), so I think this is likely to slip.

@liggitt liggitt modified the milestones: v1.14, v1.15 Mar 7, 2019

@liggitt

This comment has been minimized.

Copy link
Member

commented Apr 24, 2019

as long as the featuregate is not yet GA, we have to allow for it being disabled, and drop the corresponding fields from new objects in podsecuritypolicy#DropDisabledFields (follow the pattern there of dropping if the feature is disabled and the existing object isn't using the new fields already)

@liggitt liggitt moved this from In progress to Changes requested in API Reviews Apr 24, 2019

@tallclair tallclair force-pushed the tallclair:runtimeclass-psp branch from 1537247 to 8597d2c Apr 24, 2019

@tallclair

This comment has been minimized.

Copy link
Member Author

commented Apr 24, 2019

Thanks for the review! All comments addressed.

@liggitt liggitt moved this from Changes requested to In progress in API Reviews Apr 25, 2019

pkg/apis/policy/types.go Outdated Show resolved Hide resolved
@liggitt

This comment has been minimized.

Copy link
Member

commented Apr 25, 2019

one doc nit, then lgtm

@liggitt

This comment has been minimized.

Copy link
Member

commented Apr 25, 2019

/approve

@liggitt liggitt removed the api-review label Apr 25, 2019

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented Apr 25, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, tallclair

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@liggitt liggitt removed this from In progress in API Reviews Apr 25, 2019

@liggitt liggitt added this to Completed, 1.15 in API Reviews Apr 25, 2019

@tallclair tallclair force-pushed the tallclair:runtimeclass-psp branch from 3769588 to c666bd0 May 1, 2019

@yastij
yastij approved these changes May 1, 2019
Copy link
Member

left a comment

/lgtm

@fejta-bot

This comment has been minimized.

Copy link

commented May 2, 2019

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

1 similar comment
@fejta-bot

This comment has been minimized.

Copy link

commented May 2, 2019

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@k8s-ci-robot k8s-ci-robot merged commit 6a48257 into kubernetes:master May 2, 2019

20 checks passed

cla/linuxfoundation tallclair authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-conformance-image-test Skipped.
pull-kubernetes-cross Skipped.
pull-kubernetes-dependencies Job succeeded.
Details
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-csi-serial Skipped.
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-gce-storage-slow Skipped.
pull-kubernetes-godeps Skipped.
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-local-e2e Skipped.
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
pull-publishing-bot-validate Skipped.
tide In merge pool.
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.