Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Pick release-v1.27] Run as non-privilege and non-root user #2055

Merged
merged 3 commits into from Jul 8, 2022
Merged

[Pick release-v1.27] Run as non-privilege and non-root user #2055

merged 3 commits into from Jul 8, 2022

Conversation

hjiawei
Copy link
Contributor

@hjiawei hjiawei commented Jun 29, 2022

Description

This changeset set securityContext as non-privilege and non-root user
for IDS controller, prometheus, and kibana pods. It fixes an enterprise
component developmend issue on CIS profile hardened RKE2 cluster. When
the container is running as root or non-numeric user (nobody or kibana),
it failed non-root validation.

Pick #2037 into release-v1.27 branch.

For PR author

  • Tests for change.
  • If changing pkg/apis/, run make gen-files
  • If changing versions, run make gen-versions

For PR reviewers

A note for code reviewers - all pull requests must have the following:

  • Milestone set according to targeted release.
  • Appropriate labels:
    • kind/bug if this is a bugfix.
    • kind/enhancement if this is a a new feature.
    • enterprise if this PR applies to Calico Enterprise only.

@hjiawei
Run as non-privilege and non-root user
ce3ef99 
This changeset set `securityContext` as non-privilege and non-root user
for IDS controller, prometheus, and kibana pods. It fixes an enterprise
component developmend issue on CIS profile hardened RKE2 cluster. When
the container is running as root or non-numeric user (nobody or kibana),
it failed non-root validation.
@hjiawei
Make UID and GID configurable in security context
2eb09af
@hjiawei
Update UTs for SecurityContext changes
0bbbe3d
@hjiawei hjiawei requested a review from a team as a code owner June 29, 2022 18:29
@marvin-tigera marvin-tigera added this to the v1.27.9 milestone Jun 29, 2022
@rene-dekker rene-dekker added the hold merge Do not merge label Jun 29, 2022
@rene-dekker
Copy link
Member

Added hold-merge label until the next EE release is cut, which is expected to be tomorrow.

@rene-dekker rene-dekker modified the milestones: v1.27.9, v1.27.10 Jun 29, 2022
@Brian-McM Brian-McM modified the milestones: v1.27.10, v1.27.11 Jun 29, 2022
@Brian-McM Brian-McM modified the milestones: v1.27.11, v1.27.12 Jul 6, 2022
rene-dekker
rene-dekker approved these changes Jul 7, 2022
View reviewed changes
Copy link
Member

@rene-dekker rene-dekker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@hjiawei hjiawei closed this Jul 7, 2022
@hjiawei hjiawei reopened this Jul 7, 2022
@rene-dekker rene-dekker merged commit f32dafe into tigera:release-v1.27 Jul 8, 2022
@hjiawei hjiawei deleted the cherrypick-non-root-security-context-release-1.27 branch July 8, 2022 18:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rene-dekker rene-dekker rene-dekker approved these changes

Assignees
No one assigned
Labels
docs-pr-required hold merge Do not merge release-note-required
Projects
None yet
Milestone
v1.27.12
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@hjiawei @rene-dekker @Brian-McM @marvin-tigera