Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 1824800: explicitly set oauth-server container's root file system to writable #273

Merged
merged 1 commit into from May 26, 2020
Merged

Bug 1824800: explicitly set oauth-server container's root file system to writable #273

merged 1 commit into from May 26, 2020

Conversation

stlaz
Copy link
Member

@stlaz stlaz commented Apr 17, 2020

We are doing root write with the copying of the trusted cert bundle
so we unfortunately need the FS to be writable.

The SA running the pod has broad privileges and if there's a more
restrictive SCC with higher priority than what anyuid has, this
would make the container fail to start as it would choose to
default to non-writable root system.

@stlaz stlaz changed the title explicitly set oauth-server container's root file system to writable Bug 1824800: explicitly set oauth-server container's root file system to writable Apr 17, 2020
@openshift-ci-robot openshift-ci-robot added the bugzilla/severity-high Referenced Bugzilla bug's severity is high for the branch this PR is targeting. label Apr 17, 2020
@openshift-ci-robot
Copy link
Contributor

@stlaz: This pull request references Bugzilla bug 1824800, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.5.0) matches configured target release for branch (4.5.0)
  • bug is in the state NEW, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

Bug 1824800: explicitly set oauth-server container's root file system to writable

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot added the bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. label Apr 17, 2020
@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 17, 2020
@stlaz
Copy link
Member Author

stlaz commented Apr 20, 2020

/retest

sttts
sttts reviewed Apr 21, 2020
View reviewed changes
bindata/oauth-openshift/deployment.yaml Outdated
@@ -62,6 +62,8 @@ spec:
- name: https
containerPort: 6443
protocol: TCP
securityContext:
readOnlyRootFilesystem: false # because of the `cm` in args
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cp ;-)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤦 somebody kill me please

@stlaz
Copy link
Member Author

stlaz commented Apr 21, 2020

/hold
need to fix the operator, too, I shouldn't start with fixes in late afternoons

@openshift-ci-robot openshift-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 21, 2020
@stlaz
explicitly set operator's and operand's container's root file system …
c857739 
…to writable

We are doing root write with the copying of the trusted cert bundle
so we unfortunately need the FS to be writable.

The SA running the pod has broad privileges and if there's a more
restrictive SCC with higher priority than what anyuid has, this
would make the container fail to start as it would choose to
default to non-writable root system.
@stlaz
Copy link
Member Author

stlaz commented Apr 21, 2020

/hold cancel

@openshift-ci-robot openshift-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 21, 2020
sttts
sttts reviewed Apr 21, 2020
View reviewed changes
bindata/oauth-openshift/deployment.yaml
@@ -62,6 +62,8 @@ spec:
- name: https
containerPort: 6443
protocol: TCP
securityContext:
readOnlyRootFilesystem: false # because of the `cp` in args
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@smarterclayton how do you feel about this? Any workaround? Note: we copy the proxy CA to /etc.

@stlaz stlaz mentioned this pull request May 11, 2020
Closed
@sttts
Copy link
Contributor

sttts commented May 26, 2020

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label May 26, 2020
@openshift-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: stlaz, sttts

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-merge-robot openshift-merge-robot merged commit 61cd967 into openshift:master May 26, 2020
@openshift-ci-robot
Copy link
Contributor

@stlaz: All pull requests linked via external trackers have merged: openshift/cluster-authentication-operator#273. Bugzilla bug 1824800 has been moved to the MODIFIED state.

In response to this:

Bug 1824800: explicitly set oauth-server container's root file system to writable

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-cherrypick-robot
Copy link

@stlaz: cannot checkout 4.4: error checking out 4.4: exit status 1. output: error: pathspec '4.4' did not match any file(s) known to git.

In response to this:

/cherry-pick 4.4
/cherry-pick 4.3

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@stlaz
Copy link
Member Author

stlaz commented Jun 1, 2020

/cherry-pick release-4.4

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Jun 1, 2020
Merged
@openshift-cherrypick-robot
Copy link

@stlaz: new pull request created: #286

In response to this:

/cherry-pick release-4.4

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@stlaz
Copy link
Member Author

stlaz commented Jun 1, 2020

/cherry-pick release-4.3

@openshift-cherrypick-robot
Copy link

@stlaz: #273 failed to apply on top of branch "release-4.3":

error: Failed to merge in the changes.
Using index info to reconstruct a base tree...
A	bindata/oauth-openshift/deployment.yaml
M	manifests/07_deployment.yaml
A	pkg/operator2/assets/bindata.go
Falling back to patching base and 3-way merge...
CONFLICT (modify/delete): pkg/operator2/assets/bindata.go deleted in HEAD and modified in explicitly set operator's and operand's container's root file system to writable. Version explicitly set operator's and operand's container's root file system to writable of pkg/operator2/assets/bindata.go left in tree.
Auto-merging manifests/07_deployment.yaml
CONFLICT (modify/delete): bindata/oauth-openshift/deployment.yaml deleted in HEAD and modified in explicitly set operator's and operand's container's root file system to writable. Version explicitly set operator's and operand's container's root file system to writable of bindata/oauth-openshift/deployment.yaml left in tree.
Patch failed at 0001 explicitly set operator's and operand's container's root file system to writable

In response to this:

/cherry-pick release-4.3

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@stlaz stlaz deleted the write_fs_payload branch July 2, 2020 09:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sttts sttts sttts left review comments

@deads2k deads2k Awaiting requested review from deads2k

Assignees

@sttts sttts

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/severity-high Referenced Bugzilla bug's severity is high for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@stlaz @openshift-ci-robot @sttts @openshift-bot @openshift-cherrypick-robot @openshift-merge-robot