New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1824800: explicitly set oauth-server container's root file system to writable #273
Bug 1824800: explicitly set oauth-server container's root file system to writable #273
Conversation
@stlaz: This pull request references Bugzilla bug 1824800, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/retest |
@@ -62,6 +62,8 @@ spec: | |||
- name: https | |||
containerPort: 6443 | |||
protocol: TCP | |||
securityContext: | |||
readOnlyRootFilesystem: false # because of the `cm` in args |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cp ;-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🤦 somebody kill me please
/hold |
…to writable We are doing root write with the copying of the trusted cert bundle so we unfortunately need the FS to be writable. The SA running the pod has broad privileges and if there's a more restrictive SCC with higher priority than what anyuid has, this would make the container fail to start as it would choose to default to non-writable root system.
/hold cancel |
@@ -62,6 +62,8 @@ spec: | |||
- name: https | |||
containerPort: 6443 | |||
protocol: TCP | |||
securityContext: | |||
readOnlyRootFilesystem: false # because of the `cp` in args |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@smarterclayton how do you feel about this? Any workaround? Note: we copy the proxy CA to /etc.
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: stlaz, sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest Please review the full test history for this PR and help us cut down flakes. |
@stlaz: All pull requests linked via external trackers have merged: openshift/cluster-authentication-operator#273. Bugzilla bug 1824800 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@stlaz: cannot checkout 4.4: error checking out 4.4: exit status 1. output: error: pathspec '4.4' did not match any file(s) known to git. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/cherry-pick release-4.4 |
@stlaz: new pull request created: #286 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/cherry-pick release-4.3 |
@stlaz: #273 failed to apply on top of branch "release-4.3":
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
We are doing root write with the copying of the trusted cert bundle
so we unfortunately need the FS to be writable.
The SA running the pod has broad privileges and if there's a more
restrictive SCC with higher priority than what anyuid has, this
would make the container fail to start as it would choose to
default to non-writable root system.