Bug 1805570: Remove run-level 1 from olm and openshift-operators namespaces #1308

dinhxuanvu · 2020-02-20T21:59:53Z

OLM and the operators that it deploys shouldn't have run-level 1
and should use SCC as "anyuid" or "restricted".

Description of the change:

Motivation for the change:

Reviewer Checklist

Implementation matches the proposed design, or proposal is updated to match implementation
Sufficient unit test coverage
Sufficient end-to-end test coverage
Docs updated or added to /docs
Commit messages sensible and descriptive

OLM and the operators that it deploys shouldn't have run-level 1 and should use SCC as "anyuid" or "restricted". Signed-off-by: Vu Dinh <vdinh@redhat.com>

ecordell · 2020-02-20T22:20:37Z

/retest

dinhxuanvu · 2020-02-20T23:51:39Z

/retest

ecordell · 2020-02-21T00:22:45Z

/lgtm
/approve

If e2e passes this should be good.

dinhxuanvu · 2020-02-21T00:26:18Z

/retest

dinhxuanvu · 2020-02-21T02:50:41Z

/test e2e-gcp-upgrade

dinhxuanvu · 2020-02-21T03:12:27Z

/retest

njhale · 2020-02-21T03:34:48Z

/bugzilla refresh

openshift-bot · 2020-02-21T04:22:34Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2020-02-21T04:54:51Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2020-02-21T05:38:19Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2020-02-21T05:41:54Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2020-02-21T06:20:06Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2020-02-21T06:33:02Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2020-02-21T07:12:01Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2020-02-21T07:25:08Z

/retest

Please review the full test history for this PR and help us cut down flakes.

ecordell · 2020-02-21T11:47:09Z

/retest

openshift-bot · 2020-02-21T12:41:23Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2020-02-21T13:19:42Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2020-02-21T13:32:39Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2020-02-21T15:03:58Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2020-02-21T15:55:47Z

/retest

Please review the full test history for this PR and help us cut down flakes.

njhale · 2020-02-24T14:49:21Z

I suspect that we just need to add the correct permissions in the Dockerfile for the arbitrary user to have access; eg:

RUN chmod g=u /
USER 1001

dinhxuanvu · 2020-02-25T06:09:00Z

I manage to overcome the certificate issue but now another error pops up:
W0225 05:44:06.564842 1 authentication.go:245] Unable to get configmap/extension-apiserver-authentication in kube-system. Usually fixed by 'kubectl create rolebinding -n kube-system ROLE_NAME --role=extension-apiserver-authentication-reader --serviceaccount=YOUR_NS:YOUR_SA' Error: configmaps "extension-apiserver-authentication" is forbidden: User "system:serviceaccount:openshift-operators:default" cannot get resource "configmaps" in API group "" in the namespace "kube-system"

dinhxuanvu · 2020-02-25T14:56:34Z

/test e2e-gcp-upgrade

dinhxuanvu · 2020-02-25T17:35:45Z

Please keep this PR on hold until further notice on @shawn-hurley request. Thanks.

Remove the mock-extension-apiserver iamge usage on TestUpdateCSVInPlace test case that causes the failure as the CSV doesn't own that APIServer Signed-off-by: Vu Dinh <vdinh@redhat.com>

njhale · 2020-02-25T19:22:47Z

/retest

njhale

/lgtm

openshift-ci-robot · 2020-02-25T19:33:23Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dinhxuanvu, ecordell, njhale

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [ecordell,njhale]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

dinhxuanvu · 2020-02-25T20:47:51Z

/retest

ecordell · 2020-02-26T12:50:42Z

/hold cancel

openshift-bot · 2020-02-26T14:03:38Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2020-02-26T14:54:51Z

/retest

Please review the full test history for this PR and help us cut down flakes.

dinhxuanvu · 2020-02-26T15:04:16Z

Please hold for Shawn.
/hold

dinhxuanvu · 2020-02-26T16:47:59Z

/retest

dinhxuanvu · 2020-02-27T15:32:26Z

/hold cancel

openshift-bot · 2020-02-27T17:08:35Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2020-02-27T17:21:26Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2020-02-27T17:34:34Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-ci-robot · 2020-02-27T18:43:06Z

@dinhxuanvu: All pull requests linked via external trackers have merged. Bugzilla bug 1805570 has been moved to the MODIFIED state.

In response to this:

Bug 1805570: Remove run-level 1 from olm and openshift-operators namespaces

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Remove run-level 1 from olm and openshift-operators namespaces

e2f0f66

OLM and the operators that it deploys shouldn't have run-level 1 and should use SCC as "anyuid" or "restricted". Signed-off-by: Vu Dinh <vdinh@redhat.com>

openshift-ci-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Feb 20, 2020

openshift-ci-robot requested review from exdx and njhale February 20, 2020 22:09

openshift-ci-robot assigned ecordell Feb 21, 2020

openshift-ci-robot added lgtm Indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Feb 21, 2020

njhale changed the title ~~Remove run-level 1 from olm and openshift-operators namespaces~~ Bug 1805570: Remove run-level 1 from olm and openshift-operators namespaces Feb 21, 2020

dinhxuanvu removed the request for review from exdx February 21, 2020 03:12

openshift-ci-robot removed the lgtm Indicates that a PR is ready to be merged. label Feb 25, 2020

dinhxuanvu force-pushed the remove-run-level branch from e09f082 to 64fd5e1 Compare February 25, 2020 12:12

dinhxuanvu changed the title ~~Bug 1805570: Remove run-level 1 from olm and openshift-operators namespaces~~ [DO NOT MERGE] Bug 1805570: Remove run-level 1 from olm and openshift-operators namespaces Feb 25, 2020

dinhxuanvu force-pushed the remove-run-level branch from 64fd5e1 to e2f0f66 Compare February 25, 2020 17:37

Fix TestUpdateCSVInPlace e2e test case

acaae85

Remove the mock-extension-apiserver iamge usage on TestUpdateCSVInPlace test case that causes the failure as the CSV doesn't own that APIServer Signed-off-by: Vu Dinh <vdinh@redhat.com>

njhale approved these changes Feb 25, 2020

View reviewed changes

openshift-ci-robot assigned njhale Feb 25, 2020

openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Feb 25, 2020

ecordell changed the title ~~[DO NOT MERGE] Bug 1805570: Remove run-level 1 from olm and openshift-operators namespaces~~ Bug 1805570: Remove run-level 1 from olm and openshift-operators namespaces Feb 26, 2020

openshift-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 26, 2020

openshift-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 26, 2020

openshift-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 27, 2020

openshift-merge-robot merged commit e7b6616 into operator-framework:master Feb 27, 2020

Bug 1805570: Remove run-level 1 from olm and openshift-operators namespaces #1308

Bug 1805570: Remove run-level 1 from olm and openshift-operators namespaces #1308

Conversation

dinhxuanvu commented Feb 20, 2020

ecordell commented Feb 20, 2020

dinhxuanvu commented Feb 20, 2020

ecordell commented Feb 21, 2020

dinhxuanvu commented Feb 21, 2020

dinhxuanvu commented Feb 21, 2020 • edited

dinhxuanvu commented Feb 21, 2020

njhale commented Feb 21, 2020

openshift-bot commented Feb 21, 2020

openshift-bot commented Feb 21, 2020

openshift-bot commented Feb 21, 2020

openshift-bot commented Feb 21, 2020

openshift-bot commented Feb 21, 2020

openshift-bot commented Feb 21, 2020

openshift-bot commented Feb 21, 2020

openshift-bot commented Feb 21, 2020

ecordell commented Feb 21, 2020

openshift-bot commented Feb 21, 2020

openshift-bot commented Feb 21, 2020

openshift-bot commented Feb 21, 2020

openshift-bot commented Feb 21, 2020

openshift-bot commented Feb 21, 2020

njhale commented Feb 24, 2020

dinhxuanvu commented Feb 25, 2020

dinhxuanvu commented Feb 25, 2020

dinhxuanvu commented Feb 25, 2020

njhale commented Feb 25, 2020

njhale left a comment

Choose a reason for hiding this comment

openshift-ci-robot commented Feb 25, 2020

dinhxuanvu commented Feb 25, 2020

ecordell commented Feb 26, 2020

openshift-bot commented Feb 26, 2020

openshift-bot commented Feb 26, 2020

dinhxuanvu commented Feb 26, 2020

dinhxuanvu commented Feb 26, 2020

dinhxuanvu commented Feb 27, 2020

openshift-bot commented Feb 27, 2020

openshift-bot commented Feb 27, 2020

openshift-bot commented Feb 27, 2020

openshift-ci-robot commented Feb 27, 2020

dinhxuanvu commented Feb 21, 2020 •

edited