Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 1977920: Ensure scc compatibility with BoundServiceAccountTokenVolume #838

Closed
wants to merge 2 commits into from
Closed

Bug 1977920: Ensure scc compatibility with BoundServiceAccountTokenVolume #838

wants to merge 2 commits into from

Conversation

marun
Copy link

@marun marun commented Jul 1, 2021
edited

NOTE This PR is not ready for merge until openshift/apiserver-library-go#51 merges and the fake bump is replaced with a real bump.

Previous to the BoundServiceAccountTokenVolume feature being enabled, the automatic mounting of legacy token secrets required that an scc permit secret volume sources either implicitly (by allowing all volume sources) or explicitly (by specifying 'secret' in the set of allowed volumes).

To ensure compatibility with this permission scheme for the projected token volumes enabled by BoundServiceAccountTokenVolume, this commit ensures that the projected volumes of service account tokens will be permitted under the same criteria (i.e. secret volume sources are allowed by an scc).

/cc @sttts @s-urbaniak

@marun
UPSTREAM: <carry>: <squash> Add unit testing for service ca configmap…
09202a6 
… publishing

This commit should be squashed with:

UPSTREAM: <carry>: Ensure service ca is mounted for projected tokens
@marun
UPSTREAM: <drop>: FAKE bump(apiserver-library-go)
2d7434b
@openshift-ci openshift-ci bot requested review from s-urbaniak and sttts July 1, 2021 04:21
@openshift-ci-robot openshift-ci-robot added the backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. label Jul 1, 2021
@openshift-ci
Copy link

openshift-ci bot commented Jul 1, 2021

@marun: This pull request references Bugzilla bug 1977920, which is valid. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.9.0) matches configured target release for branch (4.9.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

No GitHub users were found matching the public email listed for the QA contact in Bugzilla (liyao@redhat.com), skipping review request.

In response to this:

Bug 1977920: Ensure scc compatibility with BoundServiceAccountTokenVolume

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot added bugzilla/severity-urgent Referenced Bugzilla bug's severity is urgent for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. labels Jul 1, 2021
@openshift-ci-robot
Copy link

@marun: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

@openshift-ci
Copy link

openshift-ci bot commented Jul 1, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: marun

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added vendor-update Touching vendor dir or related files approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Jul 1, 2021
@openshift-ci
Copy link

openshift-ci bot commented Jul 1, 2021

@marun: This pull request references Bugzilla bug 1977920, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.9.0) matches configured target release for branch (4.9.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

No GitHub users were found matching the public email listed for the QA contact in Bugzilla (liyao@redhat.com), skipping review request.

In response to this:

Bug 1977920: Ensure scc compatibility with BoundServiceAccountTokenVolume

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@s-urbaniak
Copy link

/test k8s-e2e-gcp

@openshift-ci
Copy link

openshift-ci bot commented Jul 1, 2021
edited

@marun: The following test failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
ci/prow/k8s-e2e-gcp-serial 2d7434b link /test k8s-e2e-gcp-serial

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@s-urbaniak
Copy link

/close

@s-urbaniak
Copy link

in favor of #841

@openshift-ci openshift-ci bot closed this Jul 1, 2021
@openshift-ci
Copy link

openshift-ci bot commented Jul 1, 2021

@s-urbaniak: Closed this PR.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci
Copy link

openshift-ci bot commented Jul 1, 2021

@marun: This pull request references Bugzilla bug 1977920. The bug has been updated to no longer refer to the pull request using the external bug tracker.

In response to this:

Bug 1977920: Ensure scc compatibility with BoundServiceAccountTokenVolume

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@s-urbaniak s-urbaniak Awaiting requested review from s-urbaniak

@sttts sttts Awaiting requested review from sttts

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. bugzilla/severity-urgent Referenced Bugzilla bug's severity is urgent for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. vendor-update Touching vendor dir or related files
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@marun @openshift-ci-robot @s-urbaniak