Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow setting seccompProfile to enable using restricted security profile #13401

Merged
merged 1 commit into from
Oct 18, 2022
Merged

Allow setting seccompProfile to enable using restricted security profile #13401

merged 1 commit into from
Oct 18, 2022

Conversation

evankanderson
Copy link
Member

Fixes #13398

seccompProfile.type should only be set to RuntimeDefault or Localhost in the restricted Pod Security Standard.
Allow users to set the seccompProfile so that they can run Knative user-containers in restricted mode.

Relates to #13376

Proposed Changes

  • Allow users to set seccompProfile in PodSecurityContext and SecurityContext

Release Note

Services may now set `seccompProfile` in SecurityContext to allow users to comply with the `restricted` Pod Security Standards best-practice

@knative-prow
Copy link

knative-prow bot commented Oct 16, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: evankanderson

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@knative-prow knative-prow bot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. area/API API objects and controllers labels Oct 16, 2022
@evankanderson evankanderson mentioned this pull request Oct 16, 2022
Merged
@codecov
Copy link

codecov bot commented Oct 16, 2022
edited
Loading

Codecov Report

Base: 86.52% // Head: 86.45% // Decreases project coverage by -0.06% ⚠️

Coverage data is based on head (630c08d) compared to base (a18077c).
Patch coverage: 100.00% of modified lines in pull request are covered.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #13401      +/-   ##
==========================================
- Coverage   86.52%   86.45%   -0.07%     
==========================================
  Files         196      196              
  Lines       14551    14556       +5     
==========================================
- Hits        12590    12585       -5     
- Misses       1662     1671       +9     
- Partials      299      300       +1
Impacted Files Coverage Δ
pkg/apis/serving/fieldmask.go 95.61% <100.00%> (+0.04%) ⬆️
pkg/http/handler/timeout.go 84.76% <0.00%> (-6.63%) ⬇️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

@evankanderson
Copy link
Member Author

/assign @psschwei @skonto

@evankanderson evankanderson mentioned this pull request Oct 16, 2022
Merged
psschwei
psschwei reviewed Oct 18, 2022
View reviewed changes
Copy link
Contributor

@psschwei psschwei left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One minor nit: we should also edit the features configmap to include this as one of the fields that can be set when the gate is on. Otherwise, looks good to me

psschwei
psschwei reviewed Oct 18, 2022
View reviewed changes
Copy link
Contributor

@psschwei psschwei left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@knative-prow knative-prow bot added the lgtm Indicates that a PR is ready to be merged. label Oct 18, 2022
@psschwei psschwei mentioned this pull request Oct 18, 2022
Merged
@knative-prow knative-prow bot merged commit d108ba9 into knative:main Oct 18, 2022
skonto pushed a commit to skonto/serving that referenced this pull request Oct 19, 2022
@evankanderson @skonto
Allow setting seccompProfile to enable using restricted security prof…
775acb8 
…ile (knative#13401)
openshift-merge-robot pushed a commit to openshift/knative-serving that referenced this pull request Oct 24, 2022
@skonto @evankanderson
[RELEASE-1.5][BACKPORT] Allow setting seccompProfile to enable using …
772dc55 
…restricted security profile (#1284)

* Allow setting seccompProfile to enable using restricted security profile (knative#13401)

* fix features cm

Co-authored-by: Evan Anderson <[email protected]>
skonto added a commit to skonto/serving that referenced this pull request Nov 15, 2022
@skonto @evankanderson
[RELEASE-1.5][BACKPORT] Allow setting seccompProfile to enable using …
23703c0 
…restricted security profile (knative#1284)

* Allow setting seccompProfile to enable using restricted security profile (knative#13401)

* fix features cm

Co-authored-by: Evan Anderson <[email protected]>
openshift-merge-robot pushed a commit to openshift-knative/serving that referenced this pull request Nov 15, 2022
@skonto @evankanderson
[RELEASE-1.5][BACKPORT] Allow setting seccompProfile to enable using …
384b91e 
…restricted security profile (knative#1284) (#9)

* Allow setting seccompProfile to enable using restricted security profile (knative#13401)

* fix features cm

Co-authored-by: Evan Anderson <[email protected]>

Co-authored-by: Evan Anderson <[email protected]>
@dprotaso dprotaso added this to the v1.8.0 milestone Nov 24, 2022
openshift-merge-robot pushed a commit to openshift-knative/serving that referenced this pull request Dec 22, 2022
@ReToCode @skonto @evankanderson
[RELEASE-1.7][BACKPORT] Allow setting seccompProfile to enable using … (
28d0934 
#91)

* [RELEASE-1.5][BACKPORT] Allow setting seccompProfile to enable using restricted security profile  (knative#1284) (#9)

* Allow setting seccompProfile to enable using restricted security profile (knative#13401)

* fix features cm

Co-authored-by: Evan Anderson <[email protected]>

Co-authored-by: Evan Anderson <[email protected]>

* Update checksum

Co-authored-by: Stavros Kontopoulos <[email protected]>
Co-authored-by: Evan Anderson <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@psschwei psschwei psschwei left review comments

Assignees

@skonto skonto

@psschwei psschwei

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/API API objects and controllers lgtm Indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
v1.8.0
Development

Successfully merging this pull request may close these issues.
4 participants
@evankanderson @psschwei @dprotaso @skonto