New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comply with OCP/OKD 4.11 and 4.12 Pod Security Standards #2036
Conversation
Pull Request Test Coverage Report for Build 2710977891
💛 - Coveralls |
okd-hco-e2e-image-index-gcp lane succeeded. |
@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/okd-hco-e2e-image-index-aws, ci/prow/okd-hco-e2e-upgrade-index-aws In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
hco-e2e-upgrade-prev-index-sno-azure lane succeeded. |
@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-upgrade-prev-index-sno-aws In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/retest |
hco-e2e-upgrade-index-sno-aws lane succeeded. |
@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-upgrade-index-sno-azure In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have 2 comments:
- In the opening message you mentioned that also a
seccompProfile
should be added to the deployments spec:
seccompProfile:
type: RuntimeDefault
But I don't see it in the code changes.
- I think we should also update the kubevirt console plugin deployment with the new PSS, which is deployed by HCO and not in the CSV:
return &appsv1.Deployment{
Set something like: ``` spec: securityContext: # Do not use SeccompProfile if your project must work on # old k8s versions < 1.19 and Openshift < 4.11 seccompProfile: type: RuntimeDefault runAsNonRoot: true containers: - name: my-container securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL ``` following OCP/OKD 4.12 best practices. This change should be backported to release-1.7 to ensure a smooth upgrade process to the next version. Signed-off-by: Simone Tiraboschi <stirabos@redhat.com>
done, thanks |
Kudos, SonarCloud Quality Gate passed! 0 Bugs No Coverage information |
hco-e2e-upgrade-prev-index-aws lane succeeded. |
@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-upgrade-prev-index-azure In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/retest |
hco-e2e-image-index-sno-aws lane succeeded. |
@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-image-index-sno-azure In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/retest |
/retest |
2 similar comments
/retest |
/retest |
is not working on OCP/OKD < 4.11. |
/retest |
@tiraboschi: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
@tiraboschi , looks like seccomp configuration on pods is not yet supported on OKD.
Assuming we must set this up for OCP 4.12, maybe we can manually add the |
openshift/release#30734 is merged. |
/cherry-pick release-1.7 |
@tiraboschi: once the present PR merges, I will cherry-pick it on top of release-1.7 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: orenc1 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@tiraboschi: #2036 failed to apply on top of branch "release-1.7":
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Set something like: ``` spec: securityContext: # Do not use SeccompProfile if your project must work on # old k8s versions < 1.19 and Openshift < 4.11 seccompProfile: type: RuntimeDefault runAsNonRoot: true containers: - name: my-container securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL ``` following OCP/OKD 4.12 best practices. This is a manual cherry-pick of kubevirt#2036 Signed-off-by: Simone Tiraboschi <stirabos@redhat.com>
Set something like: ``` spec: securityContext: # Do not use SeccompProfile if your project must work on # old k8s versions < 1.19 and Openshift < 4.11 seccompProfile: type: RuntimeDefault runAsNonRoot: true containers: - name: my-container securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL ``` following OCP/OKD 4.12 best practices. This is a manual cherry-pick of #2036 Signed-off-by: Simone Tiraboschi <stirabos@redhat.com>
Set something like:
following OCP/OKD 4.12 best practices.
This change should be backported to release-1.7
to ensure a smooth upgrade process to the next version.
Signed-off-by: Simone Tiraboschi stirabos@redhat.com
Reviewer Checklist
Release note: