Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug 1977920: Ensure scc compatibility with BoundServiceAccountTokenVolume #841

Merged
merged 2 commits into from Jul 1, 2021

Conversation

stlaz
Copy link
Member

@stlaz stlaz commented Jul 1, 2021

NOTE This PR is not ready for merge until openshift/apiserver-library-go#52 merges and the fake bump is replaced with a real bump.

Previous to the BoundServiceAccountTokenVolume feature being enabled, the automatic mounting of legacy token secrets required that an scc permit secret volume sources either implicitly (by allowing all volume sources) or explicitly (by specifying 'secret' in the set of allowed volumes).

To ensure compatibility with this permission scheme for the projected token volumes enabled by BoundServiceAccountTokenVolume, this commit ensures that the projected volumes of service account tokens will be permitted under the same criteria (i.e. secret volume sources are allowed by an scc).

/cc @sttts @s-urbaniak @marun

… publishing

This commit should be squashed with:

UPSTREAM: <carry>: Ensure service ca is mounted for projected tokens
@openshift-ci openshift-ci bot requested review from marun, s-urbaniak and sttts July 1, 2021 09:00
@openshift-ci-robot openshift-ci-robot added the backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. label Jul 1, 2021
@openshift-ci-robot
Copy link

@stlaz: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

@stlaz stlaz changed the title Scc projected volumes Bug 1977920: Ensure scc compatibility with BoundServiceAccountTokenVolume Jul 1, 2021
@openshift-ci openshift-ci bot added bugzilla/severity-urgent Referenced Bugzilla bug's severity is urgent for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. labels Jul 1, 2021
@openshift-ci
Copy link

openshift-ci bot commented Jul 1, 2021

@stlaz: This pull request references Bugzilla bug 1977920, which is valid. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.9.0) matches configured target release for branch (4.9.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

No GitHub users were found matching the public email listed for the QA contact in Bugzilla (liyao@redhat.com), skipping review request.

In response to this:

Bug 1977920: Ensure scc compatibility with BoundServiceAccountTokenVolume

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot added the vendor-update Touching vendor dir or related files label Jul 1, 2021
@openshift-ci-robot
Copy link

@stlaz: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

@openshift-ci
Copy link

openshift-ci bot commented Jul 1, 2021

@stlaz: This pull request references Bugzilla bug 1977920, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.9.0) matches configured target release for branch (4.9.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

No GitHub users were found matching the public email listed for the QA contact in Bugzilla (liyao@redhat.com), skipping review request.

In response to this:

Bug 1977920: Ensure scc compatibility with BoundServiceAccountTokenVolume

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@stlaz
Copy link
Member Author

stlaz commented Jul 1, 2021

/test unit

@openshift-ci-robot
Copy link

@stlaz: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

@openshift-ci-robot
Copy link

@stlaz: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

@s-urbaniak
Copy link

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jul 1, 2021
@stlaz
Copy link
Member Author

stlaz commented Jul 1, 2021

/hold
either I mis-pushed or the vendors are wrong

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 1, 2021
@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Jul 1, 2021
@openshift-ci-robot
Copy link

@stlaz: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

@stlaz
Copy link
Member Author

stlaz commented Jul 1, 2021

/hold cancel
fixed by another run of ./hack/update-vendor.sh

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 1, 2021
@s-urbaniak
Copy link

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jul 1, 2021
@sttts sttts removed the backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. label Jul 1, 2021
@sttts
Copy link

sttts commented Jul 1, 2021

/approve

@openshift-ci
Copy link

openshift-ci bot commented Jul 1, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: s-urbaniak, stlaz, sttts

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 1, 2021
@openshift-bot
Copy link

/retest

Please review the full test history for this PR and help us cut down flakes.

4 similar comments
@openshift-bot
Copy link

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-merge-robot openshift-merge-robot merged commit 529d1a0 into openshift:master Jul 1, 2021
@openshift-ci
Copy link

openshift-ci bot commented Jul 1, 2021

@stlaz: All pull requests linked via external trackers have merged:

Bugzilla bug 1977920 has been moved to the MODIFIED state.

In response to this:

Bug 1977920: Ensure scc compatibility with BoundServiceAccountTokenVolume

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/severity-urgent Referenced Bugzilla bug's severity is urgent for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. lgtm Indicates that a PR is ready to be merged. vendor-update Touching vendor dir or related files
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

7 participants