Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCPBUGS-4787: merging: Fix the mergeStrategy=containers option #21

Merged
merged 1 commit into from Dec 16, 2022
Merged

OCPBUGS-4787: merging: Fix the mergeStrategy=containers option #21

merged 1 commit into from Dec 16, 2022

Conversation

jhrozek
Copy link

@jhrozek jhrozek commented Dec 14, 2022
edited

Backports kubernetes-sigs#1380 which should fix https://issues.redhat.com/browse/OCPBUGS-4787

It's unusual to send a backport before an upstream patch is merged, but I'm doing that because:

  • the holiday season starts soon and reviews might take longer
  • the upstream CI tests that run the upstream e2e tests on Flatcar are not working at the moment which is blocking merges upstream
  • I want to get the PR through the OCP CI to see if there's any failures
  • I want to give QE a head start testing the PR

We can
/hold
the PR until the original upstream PR is reviewed and merged.

@jhrozek
merging: Fix the mergeStrategy=containers option
dee4f23 
The mergeStrategy=containers option was implemented wrong. Instead of
merging per-container policies, it was merging policies per workload.
@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 14, 2022
@openshift-ci-robot openshift-ci-robot added jira/severity-critical Referenced Jira bug's severity is critical for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. labels Dec 14, 2022
@openshift-ci-robot
Copy link

@jhrozek: This pull request references Jira Issue OCPBUGS-4787, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.13.0) matches configured target version for branch (4.13.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @xiaojiey

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Backports kubernetes-sigs#1380 which should fix https://issues.redhat.com/browse/OCPBUGS-4787

It's unusual to send a backport before an upstream patch is merged, but I'm doing that because:

  • the holiday season starts soon and reviews might take longer
  • the upstream CI tests that run the upstream e2e tests on Flatcar are not working at the moment which is blocking merges upstream
  • I want to get the PR through the OCP CI to see if there's any failures
  • I want to give QE a head start testing the PR

We can
/hold
the PR until the original upstream PR is reviewed and merged.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot requested a review from xiaojiey December 14, 2022 14:02
@openshift-ci-robot
Copy link

@jhrozek: This pull request references Jira Issue OCPBUGS-4787, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.13.0) matches configured target version for branch (4.13.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @xiaojiey

In response to this:

Backports kubernetes-sigs#1380 which should fix https://issues.redhat.com/browse/OCPBUGS-4787

It's unusual to send a backport before an upstream patch is merged, but I'm doing that because:

  • the holiday season starts soon and reviews might take longer
  • the upstream CI tests that run the upstream e2e tests on Flatcar are not working at the moment which is blocking merges upstream
  • I want to get the PR through the OCP CI to see if there's any failures
  • I want to give QE a head start testing the PR

We can
/hold
the PR until the original upstream PR is reviewed and merged.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 14, 2022
@jhrozek
Copy link
Author

jhrozek commented Dec 14, 2022

@xiaojiey to test, you can deploy with make deploy-openshift-dev as there are no packaging changes.

@xiaojiey
Copy link

Verification pass with 4.13.0-0.nightly-2022-12-12-210406 + latest code:
After this PR, there will be only one selinuxprofile generated after merge.
With this PR, the final selinuxprofile generated is per container.

Test steps:

1. install SPO
2. Enable log Enrisher
3. Create a new namespace mytest. To record by using the enricher, create a ProfileRecording which is using recorder
4. Create the severice account with privileged permission:
5. Add label for ns and create deployment to be recorded:
$ oc label ns mytest security.openshift.io/scc.podSecurityLabelSync=false pod-security.kubernetes.io/enforce=privileged --overwrite=true
$ oc apply -f -<<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: hello-openshift
namespace: mytest
spec:
replicas: 3
selector:
matchLabels:
app: hello-openshift
template:
metadata:
labels:
app: hello-openshift
spec:
serviceAccountName: spo-record-sa
initContainers:
name: wait
image: quay.io/openshifttest/centos:centos7
command: ["/bin/sh", "-c", "env"]
containers:
name: hello-openshift
image: quay.io/openshifttest/hello-openshift:multiarch
ports:
containerPort: 8080
readinessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 5
periodSeconds: 5
name: hello-openshift2
image: quay.io/openshifttest/hello-openshift:multiarch-fedora
ports:
containerPort: 8081
readinessProbe:
tcpSocket:
port: 8081
initialDelaySeconds: 5
periodSeconds: 5
EOF
deployment.apps/hello-openshift created
$ oc delete deployment hello-openshift
deployment.apps "hello-openshift" deleted
$ oc get selinuxprofiles.security-profiles-operator.x-k8s.io 
NAME                                    USAGE                                                  STATE
test-recording-hello-openshift-kpmvf    test-recording-hello-openshift-kpmvf_mytest.process    Partial
test-recording-hello-openshift-lg95s    test-recording-hello-openshift-lg95s_mytest.process    Partial
test-recording-hello-openshift2-kpmvf   test-recording-hello-openshift2-kpmvf_mytest.process   Partial
test-recording-hello-openshift2-lg95s   test-recording-hello-openshift2-lg95s_mytest.process   Partial
$ oc delete profilerecordings.security-profiles-operator.x-k8s.io test-recording
profilerecording.security-profiles-operator.x-k8s.io "test-recording" deleted
$ oc get selinuxprofiles.security-profiles-operator.x-k8s.io  -w
NAME                              USAGE                                            STATE
test-recording-hello-openshift    test-recording-hello-openshift_mytest.process    Pending
test-recording-hello-openshift2   test-recording-hello-openshift2_mytest.process   InProgress
$ oc get selinuxprofiles
NAME                              USAGE                                            STATE
test-recording-hello-openshift    test-recording-hello-openshift_mytest.process    Installed
test-recording-hello-openshift2   test-recording-hello-openshift2_mytest.process   Installed

@xiaojiey
Copy link

/qe-approved

Vincent056
Vincent056 approved these changes Dec 15, 2022
View reviewed changes
Copy link

@Vincent056 Vincent056 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Dec 15, 2022
@openshift-ci
Copy link

openshift-ci bot commented Dec 15, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jhrozek, Vincent056

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jhrozek
Copy link
Author

jhrozek commented Dec 16, 2022

/hold cancel
since everyone seems to be on vacation, I'm removing the hold and merging the patch downstream first.
If there are changes requested to the upstream patch, we're going to revert this PR and apply the pure upstream patches.

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 16, 2022
@openshift-ci
Copy link

openshift-ci bot commented Dec 16, 2022

@jhrozek: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@openshift-merge-robot openshift-merge-robot merged commit 2a82ee8 into openshift:main Dec 16, 2022
@openshift-ci-robot
Copy link

@jhrozek: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-4787 has been moved to the MODIFIED state.

In response to this:

Backports kubernetes-sigs#1380 which should fix https://issues.redhat.com/browse/OCPBUGS-4787

It's unusual to send a backport before an upstream patch is merged, but I'm doing that because:

  • the holiday season starts soon and reviews might take longer
  • the upstream CI tests that run the upstream e2e tests on Flatcar are not working at the moment which is blocking merges upstream
  • I want to get the PR through the OCP CI to see if there's any failures
  • I want to give QE a head start testing the PR

We can
/hold
the PR until the original upstream PR is reviewed and merged.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Vincent056 Vincent056 Vincent056 approved these changes

@xiaojiey xiaojiey Awaiting requested review from xiaojiey

@sheriff-rh sheriff-rh Awaiting requested review from sheriff-rh

@saschagrunert saschagrunert Awaiting requested review from saschagrunert

Assignees

@Vincent056 Vincent056

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. jira/severity-critical Referenced Jira bug's severity is critical for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@jhrozek @openshift-ci-robot @xiaojiey @Vincent056 @openshift-merge-robot