New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1977920: Ensure scc compatibility with BoundServiceAccountTokenVolume #841
Bug 1977920: Ensure scc compatibility with BoundServiceAccountTokenVolume #841
Conversation
… publishing This commit should be squashed with: UPSTREAM: <carry>: Ensure service ca is mounted for projected tokens
@stlaz: the contents of this pull request could not be automatically validated. The following commits could not be validated and must be approved by a top-level approver:
|
@stlaz: This pull request references Bugzilla bug 1977920, which is valid. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Bugzilla (liyao@redhat.com), skipping review request. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
7b2b0a7
to
2a4b964
Compare
@stlaz: the contents of this pull request could not be automatically validated. The following commits could not be validated and must be approved by a top-level approver:
|
@stlaz: This pull request references Bugzilla bug 1977920, which is valid. 3 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Bugzilla (liyao@redhat.com), skipping review request. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test unit |
2a4b964
to
8e739b5
Compare
@stlaz: the contents of this pull request could not be automatically validated. The following commits could not be validated and must be approved by a top-level approver:
|
8e739b5
to
91023e7
Compare
@stlaz: the contents of this pull request could not be automatically validated. The following commits could not be validated and must be approved by a top-level approver:
|
/lgtm |
/hold |
91023e7
to
e281103
Compare
@stlaz: the contents of this pull request could not be automatically validated. The following commits could not be validated and must be approved by a top-level approver:
|
/hold cancel |
/lgtm |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: s-urbaniak, stlaz, sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest Please review the full test history for this PR and help us cut down flakes. |
4 similar comments
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
@stlaz: All pull requests linked via external trackers have merged: Bugzilla bug 1977920 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
NOTE This PR is not ready for merge until openshift/apiserver-library-go#52 merges and the fake bump is replaced with a real bump.
Previous to the BoundServiceAccountTokenVolume feature being enabled, the automatic mounting of legacy token secrets required that an scc permit secret volume sources either implicitly (by allowing all volume sources) or explicitly (by specifying 'secret' in the set of allowed volumes).
To ensure compatibility with this permission scheme for the projected token volumes enabled by BoundServiceAccountTokenVolume, this commit ensures that the projected volumes of service account tokens will be permitted under the same criteria (i.e. secret volume sources are allowed by an scc).
/cc @sttts @s-urbaniak @marun