New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCPBUGS-20192: Require non-readonly filesystem in router container #981
OCPBUGS-20192: Require non-readonly filesystem in router container #981
Conversation
@rfredette: This pull request references Jira Issue OCPBUGS-20192, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/jira refresh |
@rfredette: This pull request references Jira Issue OCPBUGS-20192, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add a test case in Test_deploymentConfigChanged
and add the bug reference and details from the PR description to the commit message. Otherwise this looks fine.
f41e007
to
1a925fb
Compare
Job failure looks unrelated. |
boolFalse := false | ||
deployment.Spec.Template.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation = &boolFalse |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
boolFalse := false | |
deployment.Spec.Template.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation = &boolFalse | |
deployment.Spec.Template.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation = pointer.Bool(false) |
boolTrue := true | ||
deployment.Spec.Template.Spec.Containers[0].SecurityContext.ReadOnlyRootFilesystem = &boolTrue |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
boolTrue := true | |
deployment.Spec.Template.Spec.Containers[0].SecurityContext.ReadOnlyRootFilesystem = &boolTrue |
AllowPrivilegeEscalation: &boolTrue, | ||
ReadOnlyRootFilesystem: &boolFalse, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use pointer.Bool
here too.
Setting the filesystem to read only in the router container prevents it from rendering the haproxy config, and causes haproxy to be unable to start. Adding the security context constraint readOnlyRootFilesystem: false makes sure the security profile it is assigned does not require a read only filesystem.
1a925fb
to
9822f2a
Compare
/assign |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Miciah The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/assign @frobware |
/hold cancel |
test failures look to be unrelated |
/retest |
@rfredette: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
@rfredette: Jira Issue OCPBUGS-20192: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-20192 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Fix included in accepted release 4.15.0-0.nightly-2023-10-17-065657 |
Setting the filesystem to read only in the router container prevents it from rendering the haproxy config, and causes haproxy to be unable to start. Adding the security context constraint
readOnlyRootFilesystem: false
makes sure the security profile it is assigned does not require a read only filesystem.