manifests/*: comply to restricted pod security level by timflannagan · Pull Request #299 · openshift/operator-framework-olm

timflannagan · 2022-05-02T16:29:33Z

Follow-up to #295 which has additional scripts/* changes.

…onfigurations Signed-off-by: timflannagan <timflannagan@gmail.com>

openshift-ci · 2022-05-02T16:30:11Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: timflannagan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [timflannagan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

timflannagan · 2022-05-02T17:43:37Z

/retest-required

s-urbaniak · 2022-05-03T07:54:08Z

/retest-required

s-urbaniak · 2022-05-03T07:54:12Z

/lgtm

openshift-bot · 2022-05-03T09:56:13Z

/retest-required

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2022-05-03T14:20:13Z

/retest-required

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2022-05-03T16:44:12Z

/retest-required

Please review the full test history for this PR and help us cut down flakes.

timflannagan · 2022-05-03T18:32:12Z

Waiting for fixes to the e2e/upgrade checks.

/hold

s-urbaniak · 2022-05-05T09:56:59Z

/retest-required

s-urbaniak · 2022-05-09T13:56:09Z

        spec:
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 65534


it turns out collect-profiles only has permissions to use the restricted SCC, hence we have to remove this line, the UID will be picked automatically from a safe range by SCC admission). The e2e failure is:

Error creating: pods "collect-profiles-27529095-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, spec.containers[0].securityContext.runAsUser: Invalid value: 65534: must be in the ranges: [1000380000, 1000389999], provider "restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount] for Job.batch/v1/collect-profiles-27529095 -n openshift-operator-lifecycle-manager happened 5 times

s-urbaniak · 2022-05-09T13:56:35Z

        spec:
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 65534


see https://github.com/openshift/operator-framework-olm/pull/299/files#r868043811

…ect-profiles CronJob Signed-off-by: timflannagan <timflannagan@gmail.com>

s-urbaniak · 2022-05-09T14:11:44Z

/lgtm

timflannagan · 2022-05-09T14:15:48Z

/retest-required

timflannagan · 2022-05-09T16:31:12Z

/retest-required

openshift-ci · 2022-05-09T18:22:59Z

@timflannagan: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

timflannagan · 2022-05-09T18:32:35Z

/hold cancel

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.10.0 to 0.17.0. - [Commits](golang/net@v0.10.0...v0.17.0) Upstream-repository: api Upstream-commit: d52e6b24617a980e471dbfde1ec1780de9d23f35 --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.10.0 to 0.17.0. - [Commits](httpts://github.com/golang/net/compare/v0.10.0...v0.17.0) Upstream-repository: api Upstream-commit: d52e6b24617a980e471dbfde1ec1780de9d23f35 --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.10.0 to 0.17.0. - [Commits](golang/net@v0.10.0...v0.17.0) Upstream-repository: api Upstream-commit: d52e6b24617a980e471dbfde1ec1780de9d23f35 --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.10.0 to 0.17.0. - [Commits](golang/net@v0.10.0...v0.17.0) Upstream-repository: api Upstream-commit: d52e6b24617a980e471dbfde1ec1780de9d23f35 --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.10.0 to 0.17.0. - [Commits](golang/net@v0.10.0...v0.17.0) Upstream-repository: api Upstream-commit: d52e6b24617a980e471dbfde1ec1780de9d23f35 --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.10.0 to 0.17.0. - [Commits](httpts://github.com/golang/net/compare/v0.10.0...v0.17.0) Upstream-repository: api Upstream-commit: d52e6b24617a980e471dbfde1ec1780de9d23f35 --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.10.0 to 0.17.0. - [Commits](golang/net@v0.10.0...v0.17.0) Upstream-repository: api Upstream-commit: d52e6b24617a980e471dbfde1ec1780de9d23f35 --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.10.0 to 0.17.0. - [Commits](golang/net@v0.10.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Upstream-repository: api Upstream-commit: d52e6b24617a980e471dbfde1ec1780de9d23f35

s-urbaniak and others added 2 commits May 2, 2022 12:27

manifests/*: comply to restricted pod security level

26b2061

scripts: Add downstream-only patches for custom Pod securityContext c…

b5b49fe

…onfigurations Signed-off-by: timflannagan <timflannagan@gmail.com>

openshift-ci Bot requested review from anik120 and gallettilance May 2, 2022 16:30

openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 2, 2022

openshift-ci Bot assigned s-urbaniak May 3, 2022

openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label May 3, 2022

openshift-ci Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 3, 2022

s-urbaniak reviewed May 9, 2022

View reviewed changes

scripts,manifests: Remove the RunAsUser security context for the coll…

801683a

…ect-profiles CronJob Signed-off-by: timflannagan <timflannagan@gmail.com>

openshift-ci Bot removed the lgtm Indicates that a PR is ready to be merged. label May 9, 2022

openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label May 9, 2022

openshift-ci Bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 9, 2022

openshift-merge-robot merged commit ec696d9 into openshift:master May 9, 2022

timflannagan deleted the pod-security-context-4.11 branch May 9, 2022 18:34

Conversation

timflannagan commented May 2, 2022

Uh oh!

openshift-ci Bot commented May 2, 2022

Uh oh!

timflannagan commented May 2, 2022

Uh oh!

s-urbaniak commented May 3, 2022

Uh oh!

s-urbaniak commented May 3, 2022

Uh oh!

openshift-bot commented May 3, 2022

Uh oh!

openshift-bot commented May 3, 2022

Uh oh!

openshift-bot commented May 3, 2022

Uh oh!

timflannagan commented May 3, 2022

Uh oh!

s-urbaniak commented May 5, 2022

Uh oh!

s-urbaniak May 9, 2022

Choose a reason for hiding this comment

Uh oh!

s-urbaniak May 9, 2022

Choose a reason for hiding this comment

Uh oh!

s-urbaniak commented May 9, 2022

Uh oh!

timflannagan commented May 9, 2022

Uh oh!

timflannagan commented May 9, 2022

Uh oh!

openshift-ci Bot commented May 9, 2022

Uh oh!

timflannagan commented May 9, 2022

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants