Integrate with Pod security #8436
Conversation
|
Skipping CI for Draft Pull Request. |
kubevirt-bot
added
release-note
|
/test pull-kubevirt-e2e-k8s-1.24-psa-sig-compute |
|
/test pull-kubevirt-e2e-k8s-1.24-psa-sig-compute |
2 similar comments
|
/test pull-kubevirt-e2e-k8s-1.24-psa-sig-compute |
|
/test pull-kubevirt-e2e-k8s-1.24-psa-sig-compute |
kubevirt-bot
removed
the
do-not-merge/work-in-progress
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jean-edouard The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
kubevirt-bot
added
the
approved
xpivarc
force-pushed
the
psa-enable
branch
3 times, most recently
from
a37f81a
to
13aabe2
Compare
|
/retest |
| ) | ||
|
|
||
| func RenderNFSServerWithPVC(generateName string, pvcName string) *k8sv1.Pod { |
| @@ -70,6 +70,15 @@ else | |||
| export KUBEVIRT_PROVIDER=${TARGET} | |||
| fi | |||
|
|
|||
| if [[ $TARGET =~ psa ]]; then | |||
There was a problem hiding this comment.
@xpivarc I am not sure that it's going to work, since we use -apply-default-e2e-configuration flag in the functests.sh and it overrides the feature-gate list.
There was a problem hiding this comment.
@xpivarc Sorry my bad, we append. Also checked in the failed test artifacts.
There was a problem hiding this comment.
BTW. We have also test that verify this holds true in the future.
|
/cc |
|
/retest-required |
VMs are unfortunatly still privileged workload(in Kubevirt). We have to integrate with new Pod Security Standards in order to allow seamless integration, upgrades. This means we now make sure that target namespace allows privileged workloads if PSA feature gate is enabled. This unfortunatly means users escalate their privileges, in terms of Pod security, by having ability to create VMs. Signed-off-by: L. Pivarc <lpivarc@redhat.com>
Make sure we are not racing with cluster sync mechanism on Openshift. Signed-off-by: L. Pivarc <lpivarc@redhat.com>
Signed-off-by: L. Pivarc <lpivarc@redhat.com>
CDI is yet no integrated Signed-off-by: L. Pivarc <lpivarc@redhat.com>
|
@jean-edouard @acardace There was cycle dependency. It should be good now |
|
/lgtm |
We need privileged namespace in order to create some of our pods that we need for tests. This commit also aligns pods that can run as restricted PSS. Signed-off-by: L. Pivarc <lpivarc@redhat.com>
|
@acardace I just made Bazel happy |
|
/retest |
|
/lgtm |
|
/test pull-kubevirt-e2e-kind-1.22-sriov-nonroot |
|
/test pull-kubevirt-verify-go-mod |
|
@xpivarc: The following tests failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/cherry-pick release-0.49 |
|
@xpivarc: #8436 failed to apply on top of branch "release-0.49": In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/cherry-pick release-0.53 |
|
@xpivarc: #8436 failed to apply on top of branch "release-0.53": In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
| namespaceStore cache.Store | ||
| onOpenshift bool |
There was a problem hiding this comment.
Hey @xpivarc ,
Do we really want boolean field called "onOpenshift" in here(or in any other place in our repo) that looks like code smell...
There was a problem hiding this comment.
As of now, we have some additional integration with OKD/Openshift and this just extends the integration. We can look at how we could remove this altogether.
What this PR does / why we need it:
Pod Security Standards shows Kubevirt still can't run as a restricted workload. Clusters enforcing restricted policy are not able to run VMs without manual adjustments of namespaces. There is also an issue with our upgrade path to the cluster that starts to enforce the policy.
This PR enables opt-in to an automatic escalation of namespaces where VMs run. This should be used only with additional security in place or after auditing of RBAC for Kubevirt access(ability to create VM/VMI or higher abstractions).
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
Release note: