EmptyDir security context #3038
Conversation
|
@smarterclayton @pweil- FYI but not really ready for review yet. |
pmorie
force-pushed
the
emptydir-security-context
branch
from
0c242b2
to
f562011
Compare
smarterclayton
added
the
approved
|
Did this get merged in SCC? |
|
What is the ETA? |
|
@smarterclayton I'm working on it now, hope to have it working / tested tonight. |
pmorie
force-pushed
the
emptydir-security-context
branch
7 times, most recently
from
b797514
to
6a805c8
Compare
|
@smarterclayton @pweil- @liggitt I'm getting clean e2e runs with this code. Adding tests now. |
pmorie
force-pushed
the
emptydir-security-context
branch
from
6a805c8
to
3a6b77e
Compare
|
@smarterclayton @pweil- I'm probably going to extract an interface for a thing that does chcon so we can test that the right context was passed to it in the unit tests |
pmorie
force-pushed
the
emptydir-security-context
branch
from
3a6b77e
to
c82073e
Compare
|
@smarterclayton Should we rename 'Level' to 'Range' ? |
|
@smarterclayton Since |
pmorie
force-pushed
the
emptydir-security-context
branch
4 times, most recently
from
d9baae0
to
93743dd
Compare
|
I'm ok with the changes, have you validated creating an empty dir with enforcing set? We need to re enable SELinux as a follow up in vagrant (please spawn an issue for that). |
pmorie
force-pushed
the
emptydir-security-context
branch
from
93743dd
to
ff16ed0
Compare
|
@smarterclayton creating an emptyDir w/ enforcing works. I'm running through the e2e w/ enforcing on now but the registry's running an accepting pushes, secrets are working, etc so far. |
|
@smarterclayton E2E passes with selinux enforcing. I still have a few more tests I want to write. |
|
@smarterclayton it's no sleep till brooklyn for me wrt this tonight |
|
K, follow up for an integration test in test-integration-docker.sh or something in our e2e to explicitly verify we can write to the empty dir. Let me know when done.
|
|
@smarterclayton It's exercised in the e2e because the registry uses an emptyDir directly for its storage |
pmorie
force-pushed
the
emptydir-security-context
branch
2 times, most recently
from
9800d67
to
27dbfb9
Compare
|
[test] |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin/3225/) |
|
@smarterclayton Does jenkins run with SELinux enabled? |
pmorie
force-pushed
the
emptydir-security-context
branch
from
27dbfb9
to
bff15af
Compare
|
No, it needs to be reenabled after we cut 3.0
|
|
@smarterclayton I think this is ready for final review:
Oops, I forgot to run the upstream secrets E2E, but I'm positive it will work since the use-cases for secrets are obviously working in the e2e. |
|
Upstream e2e for secrets doesn't work because the service account has to reference the secret. |
|
LGTM [merge] |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_requests_origin/2477/) (Image: devenv-fedora_1821) |
|
Evaluated for origin up to bff15af |
Merged by openshift-bot
Depends on #3037