-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OPCT-7 - fix/securityContext: disable default SecurityContext created by Sonobuoy #39
OPCT-7 - fix/securityContext: disable default SecurityContext created by Sonobuoy #39
Conversation
PR under validation |
This change, and RBAC #34, are mandatory to the 'upgrade' (#33) feature work correctly. I just tested the upgrade without this change, leaving the mode==default (nonroot), and it raised those errors:
|
I've created two cards to address upstream issues found while testing this PR: |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bostrt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/unhold |
https://issues.redhat.com/browse/SPLAT-651 Support upgrade conformance. - Introduces new flags to control whether the execution needs to run the upgrade cluster or not: - `--mode=upgrade` - `--upgrade-to-image=<release_digest>` (`$(oc adm release info 4.Y+1.Z -o jsonpath={.image}`) - Create config map with plugin variables (the sonobuoy native feature wipes all existing from `podSpec` which is undesired) - add a new plugin instance of openshift-tests to run upgrades: `05-openshift-cluster-upgrade` Blocked by: - [x] #31 - [x] #34 Blocked by Plugin release: - [x] redhat-openshift-ecosystem/provider-certification-plugins#24 Checklist: - [x] CLI changes to run in upgrade mode - [x] CLI changes to get the release image digest - [x] Plugin implementation: redhat-openshift-ecosystem/provider-certification-plugins#24 - [x] Validate y-stream upgrades - [x] Fix RBAC #34 for Cluster upgrade - [x] Fix SecurityContextMode for Sonobuoy aggregator stuck on 4.10->4.11 #39 - [x] MachineConfigPool validation: 'opct' object is validated if present when running `mode=upgrade` on the runtime (plugin execution). Failures will be raised by the plugin when the MCP is not present (the User Docs should keep it very explicit): Tests described here: redhat-openshift-ecosystem/provider-certification-plugins#24 (comment) - [x] User Documentation Tests checklist: - [x] upgrade 4.12-> 4.13
The goal of this PR is to change the default mode of the SecurityContext of jobs, encapsulated by "modes". The SecurityContext created by Sonobuoy is not working as expected on the pod admission security pods introduced on the OCP 4.11/Kube 1.24.
We get the issue when running the upgrade from 4.10 to 4.11(using conformance tests / #33 ), the sonobuoy aggregator stuck trying to annotate the resources managed by it right after the cluster finished the upgrade. The issue is detailed on OPCT-7.