New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1977920: Ensure scc compatibility with BoundServiceAccountTokenVolume #838
Bug 1977920: Ensure scc compatibility with BoundServiceAccountTokenVolume #838
Conversation
… publishing This commit should be squashed with: UPSTREAM: <carry>: Ensure service ca is mounted for projected tokens
@marun: This pull request references Bugzilla bug 1977920, which is valid. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Bugzilla (liyao@redhat.com), skipping review request. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@marun: the contents of this pull request could not be automatically validated. The following commits could not be validated and must be approved by a top-level approver:
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: marun The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@marun: This pull request references Bugzilla bug 1977920, which is valid. 3 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Bugzilla (liyao@redhat.com), skipping review request. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test k8s-e2e-gcp |
@marun: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/close |
in favor of #841 |
@s-urbaniak: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@marun: This pull request references Bugzilla bug 1977920. The bug has been updated to no longer refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
NOTE This PR is not ready for merge until openshift/apiserver-library-go#51 merges and the fake bump is replaced with a real bump.
Previous to the BoundServiceAccountTokenVolume feature being enabled, the automatic mounting of legacy token secrets required that an scc permit secret volume sources either implicitly (by allowing all volume sources) or explicitly (by specifying 'secret' in the set of allowed volumes).
To ensure compatibility with this permission scheme for the projected token volumes enabled by BoundServiceAccountTokenVolume, this commit ensures that the projected volumes of service account tokens will be permitted under the same criteria (i.e. secret volume sources are allowed by an scc).
/cc @sttts @s-urbaniak