-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PWX-32428,PWX-27672: shared mounts fix for PKS and privileged:false #1181
Conversation
This is odd, unrelated
|
sharedv4 mount changes look good to me |
48cef8e
to
ea15783
Compare
NOTE -- here's the result of the actual test on a PKS system:
|
* Portworx PODs (oci-monitors) no longer using `privileged:true` - but using 5 capabilities instead * adding new `STC.security.privileged = true` switch, to roll back to the original `privileged:true` security-setting * we're also disabling all Bidirectional-mounts, and converting them to regular-mounts (warning will indicate to change STC...privileged=true to enable back) Signed-off-by: Zoran Rajic <zrajic@purestorage.com>
Signed-off-by: Zoran Rajic <zox@portworx.com>
* fixes shared mounts for PKS (PWX-32428, regression introduced via PWX-31842) * fixed shared mounts for privileged:false (PWX-27672) Signed-off-by: Zoran Rajic <zox@portworx.com>
b11fcc8
to
1527ed7
Compare
note, code rebased off of latest |
…1181) * fixes shared mounts for PKS (PWX-32428, regression introduced via PWX-31842) * fixed shared mounts for privileged:false (PWX-27672) Signed-off-by: Zoran Rajic <zox@portworx.com>
Codecov ReportPatch coverage:
Additional details and impacted files@@ Coverage Diff @@
## master #1181 +/- ##
==========================================
+ Coverage 75.79% 75.84% +0.05%
==========================================
Files 64 64
Lines 18123 18152 +29
==========================================
+ Hits 13736 13768 +32
+ Misses 3411 3408 -3
Partials 976 976
☔ View full report in Codecov by Sentry. |
Thanks for the review Neelesh and Piyush -- merging the PR, will cherry-pick into |
* PWX-27672: Reducing Privileged-requirements for Portworx PODs (#1141) New functionality triggered via `portworx.io/privileged = false` annotation: * Portworx PODs (oci-monitors) no longer using `privileged:true` - but using 5 capabilities instead * we're also disabling all Bidirectional-mounts, and converting them to regular-mounts (warning will indicate to change STC...privileged=true to enable back) Signed-off-by: Zoran Rajic <zox@portworx.com> Manually fixed Conflicts: drivers/storage/portworx/util/util.go pkg/controller/storagecluster/storagecluster.go * PWX-32428,PWX-27672: shared mounts fix for PKS and privileged:false (#1181) * fixes shared mounts for PKS (PWX-32428, regression introduced via PWX-31842) * fixed shared mounts for privileged:false (PWX-27672) Signed-off-by: Zoran Rajic <zox@portworx.com>
What this PR does / why we need it:
privileged:false
annotation usedportworx.io/privileged: true/false
annotation cannot be used unless on px-3.0.1 (or higher)pksVolumeInfo.mountPropagation
tweak can override volume's propagation (value-
removes propagation setting)FIX:
px-3.0.1
:shared
flag for-v /var/lib/osd:/var/lib/osd
:shared-v /var/lib/osd/pxns:/var/lib/osd/pxns:shared
and-v /var/lib/osd/mounts:/var/lib/osd/mounts:shared
mountsWhich issue(s) this PR fixes (optional)
Closes # PWX-32428
Also follow-up fix for PWX-27672
Special notes for your reviewer:
note: using https://github.com/libopenstorage/operator/tree/PWX-27672_privileged_switch_for_oci-mons as a base-branch