New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EmptyDir security context #3038
EmptyDir security context #3038
Conversation
@smarterclayton @pweil- FYI but not really ready for review yet. |
0c242b2
to
f562011
Compare
Did this get merged in SCC? |
What is the ETA? |
@smarterclayton I'm working on it now, hope to have it working / tested tonight. |
b797514
to
6a805c8
Compare
@smarterclayton @pweil- @liggitt I'm getting clean e2e runs with this code. Adding tests now. |
6a805c8
to
3a6b77e
Compare
@smarterclayton @pweil- I'm probably going to extract an interface for a thing that does chcon so we can test that the right context was passed to it in the unit tests |
3a6b77e
to
c82073e
Compare
@smarterclayton Should we rename 'Level' to 'Range' ? |
@smarterclayton Since |
d9baae0
to
93743dd
Compare
I'm ok with the changes, have you validated creating an empty dir with enforcing set? We need to re enable SELinux as a follow up in vagrant (please spawn an issue for that). |
93743dd
to
ff16ed0
Compare
@smarterclayton creating an emptyDir w/ enforcing works. I'm running through the e2e w/ enforcing on now but the registry's running an accepting pushes, secrets are working, etc so far. |
@smarterclayton E2E passes with selinux enforcing. I still have a few more tests I want to write. |
@smarterclayton it's no sleep till brooklyn for me wrt this tonight |
K, follow up for an integration test in test-integration-docker.sh or something in our e2e to explicitly verify we can write to the empty dir. Let me know when done.
|
@smarterclayton It's exercised in the e2e because the registry uses an emptyDir directly for its storage |
9800d67
to
27dbfb9
Compare
[test] |
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin/3225/) |
@smarterclayton Does jenkins run with SELinux enabled? |
27dbfb9
to
bff15af
Compare
No, it needs to be reenabled after we cut 3.0
|
@smarterclayton I think this is ready for final review:
Oops, I forgot to run the upstream secrets E2E, but I'm positive it will work since the use-cases for secrets are obviously working in the e2e. |
Upstream e2e for secrets doesn't work because the service account has to reference the secret. |
LGTM [merge] |
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_requests_origin/2477/) (Image: devenv-fedora_1821) |
Evaluated for origin up to bff15af |
Merged by openshift-bot
Depends on #3037