diff --git a/assets/release/release-aarch64.json b/assets/release/release-aarch64.json index 476de38ccd..0354a94530 100644 --- a/assets/release/release-aarch64.json +++ b/assets/release/release-aarch64.json @@ -1,6 +1,6 @@ { "release": { - "base": "4.12.0-0.nightly-arm64-2023-02-26-022416" + "base": "4.12.0-0.nightly-arm64-2023-02-27-193902" }, "images": { "cli": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:deceba7099a0aeb7c82df21f74631f28ad2790c27c668849e7f5c8782b9ffa8f", diff --git a/assets/release/release-x86_64.json b/assets/release/release-x86_64.json index 93428deb9e..eb0e4ec682 100644 --- a/assets/release/release-x86_64.json +++ b/assets/release/release-x86_64.json @@ -1,6 +1,6 @@ { "release": { - "base": "4.12.0-0.nightly-2023-02-26-022418" + "base": "4.12.0-0.nightly-2023-02-28-004807" }, "images": { "cli": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:d9feb297a0007232cd124c9d0c94360b6ad35b81350b2b55469efc14fda48c72", diff --git a/go.mod b/go.mod index fe08ef250a..aa094ca262 100644 --- a/go.mod +++ b/go.mod @@ -11,7 +11,7 @@ require ( github.com/openshift/api v0.0.0-20221116152553-4b67c2b2bb1e github.com/openshift/build-machinery-go v0.0.0-20220913142420-e25cf57ea46d github.com/openshift/client-go v0.0.0-20221019143426-16aed247da5c - github.com/openshift/cluster-policy-controller v0.0.0-20230220142510-a78a00b3632f + github.com/openshift/cluster-policy-controller v0.0.0-20230227104154-139ac0499ac4 github.com/openshift/library-go v0.0.0-20221205131816-1700fb06ea43 github.com/openshift/route-controller-manager v0.0.0-20221130011049-9e74d175e81e github.com/pkg/errors v0.9.1 diff --git a/go.sum b/go.sum index 4cd64821bf..4a94bed007 100644 --- a/go.sum +++ b/go.sum @@ -525,8 +525,8 @@ github.com/openshift/build-machinery-go v0.0.0-20220913142420-e25cf57ea46d h1:RR github.com/openshift/build-machinery-go v0.0.0-20220913142420-e25cf57ea46d/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= github.com/openshift/client-go v0.0.0-20221019143426-16aed247da5c h1:CV76yFOTXmq9VciBR3Bve5ZWzSxdft7gaMVB3kS0rwg= github.com/openshift/client-go v0.0.0-20221019143426-16aed247da5c/go.mod h1:lFMO8mLHXWFzSdYvGNo8ivF9SfF6zInA8ZGw4phRnUE= -github.com/openshift/cluster-policy-controller v0.0.0-20230220142510-a78a00b3632f h1:UPym333K9qZ9oPkX+qNgTmW+tG2ytvntqbox3u/2AI0= -github.com/openshift/cluster-policy-controller v0.0.0-20230220142510-a78a00b3632f/go.mod h1:vlkRuwyRueLOQ/ZRRle+rCrh+YNoh+pzJm9WaN9e6mU= +github.com/openshift/cluster-policy-controller v0.0.0-20230227104154-139ac0499ac4 h1:Y7Q1YTwgElV1FPd4G8pCN0GkWSSzAkF1SIpupC3ilyE= +github.com/openshift/cluster-policy-controller v0.0.0-20230227104154-139ac0499ac4/go.mod h1:vlkRuwyRueLOQ/ZRRle+rCrh+YNoh+pzJm9WaN9e6mU= github.com/openshift/etcd/api/v3 v3.5.1-0.20220707134052-31b6b2d9b4d7 h1:0zi9RAHd0uq9gwtbMvRbLJJkgVBpFU7EIj3LQkY7hXk= github.com/openshift/etcd/api/v3 v3.5.1-0.20220707134052-31b6b2d9b4d7/go.mod h1:5GB2vv4A4AOn3yk7MftYGHkUfGtDHnEraIjym4dYz5A= github.com/openshift/etcd/client/pkg/v3 v3.5.1-0.20220707134052-31b6b2d9b4d7 h1:AYz2JmZ7SCtJnpN4HiAgoVYW9AV54CJSiz8c9vig0NM= diff --git a/scripts/auto-rebase/changelog.txt b/scripts/auto-rebase/changelog.txt index 7ca7792668..e931c942ae 100644 --- a/scripts/auto-rebase/changelog.txt +++ b/scripts/auto-rebase/changelog.txt @@ -1,17 +1,3 @@ -# cluster-kube-apiserver-operator embedded-component 336ffd5e7491f565faccf843571303377b1d4825 to a9a4df5f0cedeba2868a6ceb63ab58f67a0cdbf2 -f4c118ce9aec186b70615399ff71829bc7a0d044 2023-02-15T18:10:50+01:00 Guard pod set readiness probe endpoint explicitly -# cluster-network-operator embedded-component 43bc195cf9fef2db627369f86d10e0f501e9d3fa to 6f5e144f260333ad0f70a88a55eab4fc81ecd7a2 -3a98f98c4eb01338731c9dbd55b618f6b7c244b4 2023-01-17T20:11:33-06:00 added missing api field podref -# cluster-policy-controller embedded-component 105cc773b37f00be2351c9a4e6df24af94d547c1 to a78a00b3632f2c5a977ca200bf2b7a421eb121a8 -1bde0c94e6156fb9b28aac527ed601f7dff1c306 2023-02-18T11:22:19+01:00 update psa dependency version -6e315800c16b38ec0b4dd7d2a37f4606d4ba707e 2023-02-17T15:34:48+01:00 update controller-manager dependency to point to v0.25.0 -# kubernetes embedded-component a34b9e9499e6c3a94e2326652bd8236a5378c0b2 to 18eadcaadf0be77350013c8911ca953bc2ca3778 -57fc96959152c8c7ec33ac40b29f447accb6db17 2023-02-10T14:38:06+01:00 UPSTREAM: : bump(apiserver-library-go): scc admission - seccomp profiles fix -# ovn-kubernetes image-amd64 cf9fb51510e1870961bf3a0f064b73536757a4f8 to 5f8cd83cb3efb1d167f0da085f880377958ea502 -08b8105edc3a7da9316a77c1f149a9121665018c 2023-02-10T10:17:26+01:00 Delete stale egress ip snat entries by node -# kubernetes image-amd64 a34b9e9499e6c3a94e2326652bd8236a5378c0b2 to 18eadcaadf0be77350013c8911ca953bc2ca3778 -57fc96959152c8c7ec33ac40b29f447accb6db17 2023-02-10T14:38:06+01:00 UPSTREAM: : bump(apiserver-library-go): scc admission - seccomp profiles fix -# ovn-kubernetes image-arm64 cf9fb51510e1870961bf3a0f064b73536757a4f8 to 5f8cd83cb3efb1d167f0da085f880377958ea502 -08b8105edc3a7da9316a77c1f149a9121665018c 2023-02-10T10:17:26+01:00 Delete stale egress ip snat entries by node -# kubernetes image-arm64 a34b9e9499e6c3a94e2326652bd8236a5378c0b2 to 18eadcaadf0be77350013c8911ca953bc2ca3778 -57fc96959152c8c7ec33ac40b29f447accb6db17 2023-02-10T14:38:06+01:00 UPSTREAM: : bump(apiserver-library-go): scc admission - seccomp profiles fix +# cluster-policy-controller embedded-component a78a00b3632f2c5a977ca200bf2b7a421eb121a8 to 139ac0499ac4d744023827ceb6d16aa6b467be27 +938944b9accb838dc7cd98e5f5f3399c332efed1 2023-02-22T13:01:35+01:00 psalabelsyncer: invert the enforce/log logic to default to logging +300027404416cb1ce35e484707f6621aee732c99 2023-02-01T11:35:27+01:00 enforce pod security admission when techpreview is enabled diff --git a/scripts/auto-rebase/commits.txt b/scripts/auto-rebase/commits.txt index c0d03eaeba..1e186df78b 100644 --- a/scripts/auto-rebase/commits.txt +++ b/scripts/auto-rebase/commits.txt @@ -5,7 +5,7 @@ https://github.com/openshift/cluster-kube-controller-manager-operator embedded-c https://github.com/openshift/cluster-kube-scheduler-operator embedded-component 845ae423e831b1cacf0bcae5e6528f1d21b5ddf2 https://github.com/openshift/cluster-network-operator embedded-component 6f5e144f260333ad0f70a88a55eab4fc81ecd7a2 https://github.com/openshift/cluster-openshift-controller-manager-operator embedded-component d1915d130481541b8bacb5b98eddbc1541809d0a -https://github.com/openshift/cluster-policy-controller embedded-component a78a00b3632f2c5a977ca200bf2b7a421eb121a8 +https://github.com/openshift/cluster-policy-controller embedded-component 139ac0499ac4d744023827ceb6d16aa6b467be27 https://github.com/openshift/etcd embedded-component 978cfefd2f21c4ec1ac84ed95130cbff510fbe1b https://github.com/openshift/kubernetes embedded-component 18eadcaadf0be77350013c8911ca953bc2ca3778 https://github.com/openshift/machine-config-operator embedded-component 4099f3c4f4ea9df85a7516a6300a4c6e5504a5cd diff --git a/scripts/auto-rebase/last_rebase.sh b/scripts/auto-rebase/last_rebase.sh index 0c1b1c296f..c5f729ba3b 100755 --- a/scripts/auto-rebase/last_rebase.sh +++ b/scripts/auto-rebase/last_rebase.sh @@ -1,2 +1,2 @@ #!/bin/bash -x -./scripts/auto-rebase/rebase.sh to "registry.ci.openshift.org/ocp/release:4.12.0-0.nightly-2023-02-26-022418" "registry.ci.openshift.org/ocp-arm64/release-arm64:4.12.0-0.nightly-arm64-2023-02-26-022416" +./scripts/auto-rebase/rebase.sh to "registry.ci.openshift.org/ocp/release:4.12.0-0.nightly-2023-02-28-004807" "registry.ci.openshift.org/ocp-arm64/release-arm64:4.12.0-0.nightly-arm64-2023-02-27-193902" diff --git a/vendor/github.com/openshift/cluster-policy-controller/pkg/cmd/controller/psalabelsyncer.go b/vendor/github.com/openshift/cluster-policy-controller/pkg/cmd/controller/psalabelsyncer.go index 6ed9943585..cb1bc23ec5 100644 --- a/vendor/github.com/openshift/cluster-policy-controller/pkg/cmd/controller/psalabelsyncer.go +++ b/vendor/github.com/openshift/cluster-policy-controller/pkg/cmd/controller/psalabelsyncer.go @@ -4,6 +4,7 @@ import ( "context" "github.com/openshift/cluster-policy-controller/pkg/psalabelsyncer" + "k8s.io/apimachinery/pkg/util/sets" ) func runPodSecurityAdmissionLabelSynchronizationController(ctx context.Context, controllerCtx *EnhancedControllerContext) (bool, error) { @@ -13,19 +14,40 @@ func runPodSecurityAdmissionLabelSynchronizationController(ctx context.Context, return true, err } - controller, err := psalabelsyncer.NewPodSecurityAdmissionLabelSynchronizationController( - kubeClient.CoreV1().Namespaces(), - controllerCtx.KubernetesInformers.Core().V1().Namespaces(), - controllerCtx.KubernetesInformers.Rbac().V1(), - controllerCtx.KubernetesInformers.Core().V1().ServiceAccounts(), - controllerCtx.SecurityInformers.Security().V1().SecurityContextConstraints(), - controllerCtx.EventRecorder.ForComponent("podsecurity-admission-label-sync-controller"), - ) + featureGates := sets.NewString(controllerCtx.OpenshiftControllerConfig.FeatureGates...) + switch { + case featureGates.Has("OpenShiftPodSecurityAdmission=true"): + // if explicitly on, enable + controller, err := psalabelsyncer.NewEnforcingPodSecurityAdmissionLabelSynchronizationController( + kubeClient.CoreV1().Namespaces(), + controllerCtx.KubernetesInformers.Core().V1().Namespaces(), + controllerCtx.KubernetesInformers.Rbac().V1(), + controllerCtx.KubernetesInformers.Core().V1().ServiceAccounts(), + controllerCtx.SecurityInformers.Security().V1().SecurityContextConstraints(), + controllerCtx.EventRecorder.ForComponent("podsecurity-admission-label-sync-controller"), + ) + if err != nil { + return true, err + } + go controller.Run(ctx, 1) - if err != nil { - return true, err + case featureGates.Has("OpenShiftPodSecurityAdmission=false"): + // if explicitly off or unspecified, run as logging. + fallthrough + default: + controller, err := psalabelsyncer.NewAdvisingPodSecurityAdmissionLabelSynchronizationController( + kubeClient.CoreV1().Namespaces(), + controllerCtx.KubernetesInformers.Core().V1().Namespaces(), + controllerCtx.KubernetesInformers.Rbac().V1(), + controllerCtx.KubernetesInformers.Core().V1().ServiceAccounts(), + controllerCtx.SecurityInformers.Security().V1().SecurityContextConstraints(), + controllerCtx.EventRecorder.ForComponent("podsecurity-admission-label-sync-controller"), + ) + if err != nil { + return true, err + } + go controller.Run(ctx, 1) } - go controller.Run(ctx, 1) return true, nil } diff --git a/vendor/github.com/openshift/cluster-policy-controller/pkg/psalabelsyncer/podsecurity_label_sync_controller.go b/vendor/github.com/openshift/cluster-policy-controller/pkg/psalabelsyncer/podsecurity_label_sync_controller.go index 49c4b849f9..af360db751 100644 --- a/vendor/github.com/openshift/cluster-policy-controller/pkg/psalabelsyncer/podsecurity_label_sync_controller.go +++ b/vendor/github.com/openshift/cluster-policy-controller/pkg/psalabelsyncer/podsecurity_label_sync_controller.go @@ -41,6 +41,8 @@ const ( // admission namespace label to match the user account privileges in terms of being able // to use SCCs type PodSecurityAdmissionLabelSynchronizationController struct { + shouldEnforce bool + namespaceClient corev1client.NamespaceInterface namespaceLister corev1listers.NamespaceLister @@ -53,7 +55,46 @@ type PodSecurityAdmissionLabelSynchronizationController struct { saToSCCsCache SAToSCCCache } -func NewPodSecurityAdmissionLabelSynchronizationController( +func NewEnforcingPodSecurityAdmissionLabelSynchronizationController( + namespaceClient corev1client.NamespaceInterface, + namespaceInformer corev1informers.NamespaceInformer, + rbacInformers rbacv1informers.Interface, + serviceAccountInformer corev1informers.ServiceAccountInformer, + sccInformer securityv1informers.SecurityContextConstraintsInformer, + eventRecorder events.Recorder, +) (factory.Controller, error) { + return newPodSecurityAdmissionLabelSynchronizationController( + true, + namespaceClient, + namespaceInformer, + rbacInformers, + serviceAccountInformer, + sccInformer, + eventRecorder, + ) +} + +func NewAdvisingPodSecurityAdmissionLabelSynchronizationController( + namespaceClient corev1client.NamespaceInterface, + namespaceInformer corev1informers.NamespaceInformer, + rbacInformers rbacv1informers.Interface, + serviceAccountInformer corev1informers.ServiceAccountInformer, + sccInformer securityv1informers.SecurityContextConstraintsInformer, + eventRecorder events.Recorder, +) (factory.Controller, error) { + return newPodSecurityAdmissionLabelSynchronizationController( + false, + namespaceClient, + namespaceInformer, + rbacInformers, + serviceAccountInformer, + sccInformer, + eventRecorder, + ) +} + +func newPodSecurityAdmissionLabelSynchronizationController( + shouldEnforce bool, namespaceClient corev1client.NamespaceInterface, namespaceInformer corev1informers.NamespaceInformer, rbacInformers rbacv1informers.Interface, @@ -82,6 +123,8 @@ func NewPodSecurityAdmissionLabelSynchronizationController( syncCtx := factory.NewSyncContext(controllerName, eventRecorder.WithComponentSuffix(controllerName)) c := &PodSecurityAdmissionLabelSynchronizationController{ + shouldEnforce: shouldEnforce, + namespaceClient: namespaceClient, namespaceLister: namespaceInformer.Lister(), @@ -210,19 +253,48 @@ func (c *PodSecurityAdmissionLabelSynchronizationController) syncNamespace(ctx c nsCopy := ns.DeepCopy() var changed bool - for typeLabel, versionLabel := range map[string]string{ - psapi.WarnLevelLabel: psapi.WarnVersionLabel, - psapi.AuditLevelLabel: psapi.AuditVersionLabel, - } { - if ns.Labels[typeLabel] != string(psaLevel) || ns.Labels[versionLabel] != currentPSaVersion { + + if c.shouldEnforce { + if nsCopy.Labels[psapi.EnforceLevelLabel] != string(psaLevel) || nsCopy.Labels[psapi.EnforceVersionLabel] != currentPSaVersion { changed = true if nsCopy.Labels == nil { nsCopy.Labels = map[string]string{} } - nsCopy.Labels[typeLabel] = string(psaLevel) - nsCopy.Labels[versionLabel] = currentPSaVersion + nsCopy.Labels[psapi.EnforceLevelLabel] = string(psaLevel) + nsCopy.Labels[psapi.EnforceVersionLabel] = currentPSaVersion + } + + // cleanup audit and warn labels from version 4.11 + // TODO: This can be removed in 4.13 and allow users set these as they wish + for typeLabel, versionLabel := range map[string]string{ + psapi.WarnLevelLabel: psapi.WarnVersionLabel, + psapi.AuditLevelLabel: psapi.AuditVersionLabel, + } { + if _, ok := nsCopy.Labels[typeLabel]; ok { + delete(nsCopy.Labels, typeLabel) + changed = true + } + if _, ok := nsCopy.Labels[versionLabel]; ok { + delete(nsCopy.Labels, versionLabel) + changed = true + } + } + } else { + for typeLabel, versionLabel := range map[string]string{ + psapi.WarnLevelLabel: psapi.WarnVersionLabel, + psapi.AuditLevelLabel: psapi.AuditVersionLabel, + } { + if ns.Labels[typeLabel] != string(psaLevel) || ns.Labels[versionLabel] != currentPSaVersion { + changed = true + if nsCopy.Labels == nil { + nsCopy.Labels = map[string]string{} + } + + nsCopy.Labels[typeLabel] = string(psaLevel) + nsCopy.Labels[versionLabel] = currentPSaVersion + } } } diff --git a/vendor/modules.txt b/vendor/modules.txt index 81e9f3a2c2..37033e6752 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -863,7 +863,7 @@ github.com/openshift/client-go/user/informers/externalversions/internalinterface github.com/openshift/client-go/user/informers/externalversions/user github.com/openshift/client-go/user/informers/externalversions/user/v1 github.com/openshift/client-go/user/listers/user/v1 -# github.com/openshift/cluster-policy-controller v0.0.0-20230220142510-a78a00b3632f +# github.com/openshift/cluster-policy-controller v0.0.0-20230227104154-139ac0499ac4 ## explicit; go 1.19 github.com/openshift/cluster-policy-controller/pkg/client/genericinformers github.com/openshift/cluster-policy-controller/pkg/cmd/cluster-policy-controller