From f3faee707c1048db57c30493de3159ea628ac873 Mon Sep 17 00:00:00 2001 From: Kauana dos Santos Date: Tue, 11 Jul 2023 11:26:06 -0700 Subject: [PATCH 1/6] feat: secure-pod-defaults flag is enabled by default [#14029] --- config/core/configmaps/features.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/config/core/configmaps/features.yaml b/config/core/configmaps/features.yaml index f4c42983a1e8..02ee9d5eb6ea 100644 --- a/config/core/configmaps/features.yaml +++ b/config/core/configmaps/features.yaml @@ -22,7 +22,7 @@ metadata: app.kubernetes.io/component: controller app.kubernetes.io/version: devel annotations: - knative.dev/example-checksum: "f2fc138e" + knative.dev/example-checksum: "cee81616" data: _example: |- ################################ @@ -43,9 +43,8 @@ data: # Default SecurityContext settings to secure-by-default values # if unset. # - # This value will default to "enabled" in a future release, - # probably Knative 1.10 - secure-pod-defaults: "disabled" + # Indicates whether secure-pod-defaults support is enabled + secure-pod-defaults: "enabled" # Indicates whether multi container support is enabled # From 72758c906f30e1c0f898a418a3d232cc8f56d917 Mon Sep 17 00:00:00 2001 From: Kauana dos Santos Date: Tue, 11 Jul 2023 23:21:13 -0700 Subject: [PATCH 2/6] add link to secure-pod-defaults documentation --- config/core/configmaps/features.yaml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/config/core/configmaps/features.yaml b/config/core/configmaps/features.yaml index 02ee9d5eb6ea..a8fcfba44ffa 100644 --- a/config/core/configmaps/features.yaml +++ b/config/core/configmaps/features.yaml @@ -22,7 +22,7 @@ metadata: app.kubernetes.io/component: controller app.kubernetes.io/version: devel annotations: - knative.dev/example-checksum: "cee81616" + knative.dev/example-checksum: "51805dd0" data: _example: |- ################################ @@ -44,6 +44,12 @@ data: # if unset. # # Indicates whether secure-pod-defaults support is enabled +<<<<<<< HEAD +======= + + # WARNING: Cannot safely be disabled once enabled. + # See: https://knative.dev/docs/serving/feature-flags/#secure-pod-defaults +>>>>>>> 21ca62711 (Add link to secure-pod-defaults documentation) secure-pod-defaults: "enabled" # Indicates whether multi container support is enabled From a8313a3d148a7f0fc651d3be2cf50e4f72c30bda Mon Sep 17 00:00:00 2001 From: Kauana dos Santos Date: Tue, 11 Jul 2023 12:00:18 -0700 Subject: [PATCH 3/6] add securityContext checks to tests --- config/core/configmaps/features.yaml | 11 +- pkg/apis/config/features.go | 2 +- pkg/apis/serving/fieldmask_test.go | 6 +- pkg/apis/serving/k8s_validation_test.go | 114 ++++- .../serving/v1/configuration_defaults_test.go | 30 ++ pkg/apis/serving/v1/revision_defaults_test.go | 450 ++++++++++++++++++ pkg/apis/serving/v1/service_defaults_test.go | 41 ++ pkg/reconciler/revision/table_test.go | 6 +- 8 files changed, 652 insertions(+), 8 deletions(-) diff --git a/config/core/configmaps/features.yaml b/config/core/configmaps/features.yaml index a8fcfba44ffa..b4c8e4204850 100644 --- a/config/core/configmaps/features.yaml +++ b/config/core/configmaps/features.yaml @@ -22,7 +22,7 @@ metadata: app.kubernetes.io/component: controller app.kubernetes.io/version: devel annotations: - knative.dev/example-checksum: "51805dd0" + knative.dev/example-checksum: "43e1a61b" data: _example: |- ################################ @@ -40,16 +40,19 @@ data: # this example block and unindented to be in the data block # to actually change the configuration. - # Default SecurityContext settings to secure-by-default values - # if unset. - # # Indicates whether secure-pod-defaults support is enabled <<<<<<< HEAD +<<<<<<< HEAD ======= # WARNING: Cannot safely be disabled once enabled. # See: https://knative.dev/docs/serving/feature-flags/#secure-pod-defaults >>>>>>> 21ca62711 (Add link to secure-pod-defaults documentation) +======= + + # WARNING: Cannot safely be disabled once enabled. + # See: TBD +>>>>>>> 3eec2d1c9 (Update tests to use SecurityContextto account for enabling secure-pod-defaults) secure-pod-defaults: "enabled" # Indicates whether multi container support is enabled diff --git a/pkg/apis/config/features.go b/pkg/apis/config/features.go index 4e9d0aefde6c..46ada90a69c9 100644 --- a/pkg/apis/config/features.go +++ b/pkg/apis/config/features.go @@ -72,7 +72,7 @@ func defaultFeaturesConfig() *Features { PodSpecInitContainers: Disabled, PodSpecDNSPolicy: Disabled, PodSpecDNSConfig: Disabled, - SecurePodDefaults: Disabled, + SecurePodDefaults: Enabled, TagHeaderBasedRouting: Disabled, AutoDetectHTTP2: Disabled, } diff --git a/pkg/apis/serving/fieldmask_test.go b/pkg/apis/serving/fieldmask_test.go index bb13c8e739a1..ac709a3351f0 100644 --- a/pkg/apis/serving/fieldmask_test.go +++ b/pkg/apis/serving/fieldmask_test.go @@ -809,7 +809,11 @@ func TestPodSecurityContextMask(t *testing.T) { }, } - want := &corev1.PodSecurityContext{} + want := &corev1.PodSecurityContext{ + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + } ctx := context.Background() got := PodSecurityContextMask(ctx, in) diff --git a/pkg/apis/serving/k8s_validation_test.go b/pkg/apis/serving/k8s_validation_test.go index 0f10a25c2ae3..4674427e3929 100644 --- a/pkg/apis/serving/k8s_validation_test.go +++ b/pkg/apis/serving/k8s_validation_test.go @@ -108,6 +108,27 @@ func withPodSpecSecurityContextEnabled() configOption { } } +func withPodSpecSecurityContextDisabled() configOption { + return func(cfg *config.Config) *config.Config { + cfg.Features.PodSpecSecurityContext = config.Disabled + return cfg + } +} + +func withSecurePodDefaultsDisabled() configOption { + return func(cfg *config.Config) *config.Config { + cfg.Features.SecurePodDefaults = config.Disabled + return cfg + } +} + +func withSecurePodDefaultsEnabled() configOption { + return func(cfg *config.Config) *config.Config { + cfg.Features.SecurePodDefaults = config.Enabled + return cfg + } +} + func withContainerSpecAddCapabilitiesEnabled() configOption { return func(cfg *config.Config) *config.Config { cfg.Features.ContainerSpecAddCapabilities = config.Enabled @@ -1274,7 +1295,7 @@ func TestPodSpecFeatureValidation(t *testing.T) { Message: "must not set the field(s)", Paths: []string{"securityContext"}, }, - cfgOpts: []configOption{withPodSpecSecurityContextEnabled()}, + cfgOpts: []configOption{withPodSpecSecurityContextEnabled(), withSecurePodDefaultsDisabled()}, }, { name: "PriorityClassName", featureSpec: corev1.PodSpec{ @@ -3015,3 +3036,94 @@ func TestPodSpecSecurityContextValidation(t *testing.T) { }) } } + +// func TestPodSpecSecurityContextFeatureValidation(t *testing.T) { +// // test relationship between SecurePodDefaults and PodSpecSecurityContext +// featureData := struct { +// name string +// featureSpec corev1.PodSpec +// cfgOpts []configOption +// err *apis.FieldError +// errLevel apis.DiagnosticLevel +// }{ +// name: "PodSpecSecurityContext", +// featureSpec: corev1.PodSpec{ +// SecurityContext: &corev1.PodSecurityContext{}, +// }, +// err: &apis.FieldError{ +// Message: "must not set the field(s)", +// Paths: []string{"securityContext"}, +// }, +// cfgOpts: []configOption{withPodSpecSecurityContextEnabled(), withSecurePodDefaultsDisabled()}, +// }{ +// name: "SecurePodDefaults", +// featureSpec: corev1.PodSpec{ +// SecurityContext: &corev1.PodSecurityContext{}, +// }, +// err: &apis.FieldError{ +// Message: "must not set the field(s)", +// Paths: []string{"securityContext"}, +// }, +// cfgOpts: []configOption{withPodSpecSecurityContextEnabled(), withSecurePodDefaultsDisabled()}, +// } + +// featureTests := []struct { +// nameTemplate string +// enableFeature bool +// includeFeatureSpec bool +// wantError bool +// }{{ +// nameTemplate: "flag disabled: %s not present", +// enableFeature: false, +// includeFeatureSpec: false, +// wantError: false, +// }, { +// nameTemplate: "flag disabled: %s present", +// enableFeature: false, +// includeFeatureSpec: true, +// wantError: false, +// }, { +// nameTemplate: "flag enabled: %s not present", +// enableFeature: true, +// includeFeatureSpec: false, +// wantError: false, +// }, { +// nameTemplate: "flag enabled: %s present", +// enableFeature: true, +// includeFeatureSpec: true, +// wantError: false, +// }} + +// for _, test := range featureTests { +// t.Run(fmt.Sprintf(test.nameTemplate, featureData.name), func(t *testing.T) { +// ctx := context.Background() +// obj := corev1.PodSpec{ +// Containers: []corev1.Container{{ +// Image: "busybox", +// }}, +// } +// want := &apis.FieldError{} +// if test.wantError { +// want = featureData.err +// } +// if test.enableFeature { +// cfg := config.FromContextOrDefaults(ctx) +// for _, opt := range featureData.cfgOpts { +// cfg = opt(cfg) +// } +// ctx = config.ToContext(ctx, cfg) +// } +// if test.includeFeatureSpec { +// obj = featureData.featureSpec +// obj.Containers = []corev1.Container{{ +// Image: "busybox", +// }} +// } +// got := ValidatePodSpec(ctx, obj) +// got = got.Filter(featureData.errLevel) +// if diff := cmp.Diff(want.Error(), got.Error()); diff != "" { +// t.Errorf("ValidatePodSpec (-want, +got): \n%s", diff) +// } +// }) +// } +// } diff --git a/pkg/apis/serving/v1/configuration_defaults_test.go b/pkg/apis/serving/v1/configuration_defaults_test.go index ae6e8d9058e3..4fb897833d2d 100644 --- a/pkg/apis/serving/v1/configuration_defaults_test.go +++ b/pkg/apis/serving/v1/configuration_defaults_test.go @@ -76,6 +76,16 @@ func TestConfigurationDefaulting(t *testing.T) { Image: "busybox", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, TimeoutSeconds: ptr.Int64(config.DefaultRevisionTimeoutSeconds), @@ -111,6 +121,16 @@ func TestConfigurationDefaulting(t *testing.T) { Image: "busybox", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, TimeoutSeconds: ptr.Int64(config.DefaultRevisionTimeoutSeconds), @@ -148,6 +168,16 @@ func TestConfigurationDefaulting(t *testing.T) { Image: "busybox", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, TimeoutSeconds: ptr.Int64(60), diff --git a/pkg/apis/serving/v1/revision_defaults_test.go b/pkg/apis/serving/v1/revision_defaults_test.go index 0fe5e65079b7..1e20de0cd6a1 100644 --- a/pkg/apis/serving/v1/revision_defaults_test.go +++ b/pkg/apis/serving/v1/revision_defaults_test.go @@ -91,6 +91,16 @@ func TestRevisionDefaulting(t *testing.T) { Name: config.DefaultUserContainerName, Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, }, @@ -123,6 +133,16 @@ func TestRevisionDefaulting(t *testing.T) { Name: config.DefaultUserContainerName, Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, }, @@ -158,6 +178,16 @@ func TestRevisionDefaulting(t *testing.T) { Name: config.DefaultUserContainerName, Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, EnableServiceLinks: ptr.Bool(true), }, @@ -189,6 +219,16 @@ func TestRevisionDefaulting(t *testing.T) { Name: config.DefaultUserContainerName, Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, EnableServiceLinks: ptr.Bool(true), }, @@ -220,6 +260,16 @@ func TestRevisionDefaulting(t *testing.T) { Name: config.DefaultUserContainerName, Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, EnableServiceLinks: ptr.Bool(false), }, @@ -254,6 +304,16 @@ func TestRevisionDefaulting(t *testing.T) { Name: config.DefaultUserContainerName, Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, EnableServiceLinks: ptr.Bool(false), }, @@ -289,6 +349,16 @@ func TestRevisionDefaulting(t *testing.T) { }}, Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, ContainerConcurrency: ptr.Int64(1), @@ -322,6 +392,16 @@ func TestRevisionDefaulting(t *testing.T) { Name: config.DefaultUserContainerName, Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, }, @@ -362,6 +442,16 @@ func TestRevisionDefaulting(t *testing.T) { }, }, }, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, }, @@ -399,6 +489,16 @@ func TestRevisionDefaulting(t *testing.T) { }, }, }, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, }, @@ -430,6 +530,16 @@ func TestRevisionDefaulting(t *testing.T) { SuccessThreshold: 1, TimeoutSeconds: 1, // Added as k8s default }, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, Resources: defaultResources, }}, }, @@ -452,6 +562,16 @@ func TestRevisionDefaulting(t *testing.T) { Name: config.DefaultUserContainerName, Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, }, @@ -503,6 +623,16 @@ func TestRevisionDefaulting(t *testing.T) { }, }, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, }, @@ -532,12 +662,32 @@ func TestRevisionDefaulting(t *testing.T) { Name: "busybox", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, Ports: []corev1.ContainerPort{{ ContainerPort: 8888, }}, }, { Name: "helloworld", Resources: defaultResources, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, }, @@ -578,31 +728,111 @@ func TestRevisionDefaulting(t *testing.T) { Containers: []corev1.Container{{ Name: "user-container-1", Resources: defaultResources, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, { Name: "user-container-0", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, Ports: []corev1.ContainerPort{{ ContainerPort: 8888, }}, }, { Name: "user-container-3", Resources: defaultResources, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, { Name: "user-container-2", Resources: defaultResources, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, { Name: "user-container-5", Resources: defaultResources, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, { Name: "user-container-6", Resources: defaultResources, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, { Name: "user-container-7", Resources: defaultResources, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, { Name: "user-container-4", Resources: defaultResources, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, }, @@ -661,17 +891,57 @@ func TestRevisionDefaulting(t *testing.T) { Name: "busybox", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, Ports: []corev1.ContainerPort{{ ContainerPort: 8888, }}, }, { Name: "helloworld", Resources: defaultResources, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, InitContainers: []corev1.Container{{ Name: "init1", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, { Name: "init2", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, }, @@ -710,21 +980,81 @@ func TestRevisionDefaulting(t *testing.T) { Name: "busybox", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, Ports: []corev1.ContainerPort{{ ContainerPort: 8888, }}, }, { Name: "helloworld", Resources: defaultResources, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, InitContainers: []corev1.Container{{ Name: "init1", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, { Name: "init2", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, { Name: "init-container-0", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, { Name: "init-container-1", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, }, @@ -763,21 +1093,81 @@ func TestRevisionDefaulting(t *testing.T) { Name: "user-container-0", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, Ports: []corev1.ContainerPort{{ ContainerPort: 8888, }}, }, { Name: "user-container-1", Resources: defaultResources, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, InitContainers: []corev1.Container{{ Name: "init1", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, { Name: "init2", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, { Name: "init-container-0", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, { Name: "init-container-1", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, }, @@ -816,21 +1206,81 @@ func TestRevisionDefaulting(t *testing.T) { Name: "init-container-0", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, Ports: []corev1.ContainerPort{{ ContainerPort: 8888, }}, }, { Name: "init-container-1", Resources: defaultResources, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, InitContainers: []corev1.Container{{ Name: "init1", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, { Name: "init2", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, { Name: "init-container-2", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }, { Name: "init-container-3", + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, }, diff --git a/pkg/apis/serving/v1/service_defaults_test.go b/pkg/apis/serving/v1/service_defaults_test.go index 01547042ac79..d53281ac081f 100644 --- a/pkg/apis/serving/v1/service_defaults_test.go +++ b/pkg/apis/serving/v1/service_defaults_test.go @@ -87,6 +87,16 @@ func TestServiceDefaulting(t *testing.T) { Image: "busybox", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, TimeoutSeconds: ptr.Int64(config.DefaultRevisionTimeoutSeconds), @@ -130,6 +140,17 @@ func TestServiceDefaulting(t *testing.T) { Image: "busybox", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + LocalhostProfile: nil, + }, + }, }}, }, TimeoutSeconds: ptr.Int64(config.DefaultRevisionTimeoutSeconds), @@ -176,6 +197,16 @@ func TestServiceDefaulting(t *testing.T) { Image: "busybox", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, EnableServiceLinks: ptr.Bool(true), }, @@ -233,6 +264,16 @@ func TestServiceDefaulting(t *testing.T) { Image: "busybox", Resources: defaultResources, ReadinessProbe: defaultProbe, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, + RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(false), + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, }}, }, TimeoutSeconds: ptr.Int64(config.DefaultRevisionTimeoutSeconds), diff --git a/pkg/reconciler/revision/table_test.go b/pkg/reconciler/revision/table_test.go index 498f779f554b..992ba5dbc9bb 100644 --- a/pkg/reconciler/revision/table_test.go +++ b/pkg/reconciler/revision/table_test.go @@ -679,7 +679,10 @@ func TestReconcile(t *testing.T) { withDefaultContainerStatuses(), withInitContainerStatuses(), WithRevisionObservedGeneration(1)), }}, Key: "foo/first-reconcile", - Ctx: defaultconfig.ToContext(context.Background(), &defaultconfig.Config{Features: &defaultconfig.Features{PodSpecInitContainers: defaultconfig.Enabled}}), + Ctx: defaultconfig.ToContext(context.Background(), &defaultconfig.Config{Features: &defaultconfig.Features{ + PodSpecInitContainers: defaultconfig.Enabled, + SecurePodDefaults: defaultconfig.Enabled, + }}), }, { Name: "first revision reconciliation with PVC, PVC enabled", // Test the simplest successful reconciliation flow. @@ -703,6 +706,7 @@ func TestReconcile(t *testing.T) { Ctx: defaultconfig.ToContext(context.Background(), &defaultconfig.Config{Features: &defaultconfig.Features{ PodSpecPersistentVolumeClaim: defaultconfig.Enabled, PodSpecPersistentVolumeWrite: defaultconfig.Enabled, + SecurePodDefaults: defaultconfig.Enabled, }}), }} From 8b51a6096d2d48c004984d9fdb559ab7f9aac107 Mon Sep 17 00:00:00 2001 From: Kauana dos Santos Date: Mon, 25 Sep 2023 18:58:06 -0700 Subject: [PATCH 4/6] test PodSpecSecurityContext/SecurePodDefaults interaction - Secure pod default off and podspec security context off ..can't set special securitycontext properties - Secure pod default off and podspec security context on...can change allowed securitycontext to anything, e.g. runAsNonRoot: false - Secure pod default on and podspec security context off...must use restricted profile security properties --- config/core/configmaps/features.yaml | 13 +- pkg/apis/serving/k8s_validation_test.go | 181 ++++++++---------------- 2 files changed, 64 insertions(+), 130 deletions(-) diff --git a/config/core/configmaps/features.yaml b/config/core/configmaps/features.yaml index b4c8e4204850..c0cd255a6503 100644 --- a/config/core/configmaps/features.yaml +++ b/config/core/configmaps/features.yaml @@ -22,7 +22,7 @@ metadata: app.kubernetes.io/component: controller app.kubernetes.io/version: devel annotations: - knative.dev/example-checksum: "43e1a61b" + knative.dev/example-checksum: "4c668645" data: _example: |- ################################ @@ -41,18 +41,9 @@ data: # to actually change the configuration. # Indicates whether secure-pod-defaults support is enabled -<<<<<<< HEAD -<<<<<<< HEAD -======= - + # # WARNING: Cannot safely be disabled once enabled. # See: https://knative.dev/docs/serving/feature-flags/#secure-pod-defaults ->>>>>>> 21ca62711 (Add link to secure-pod-defaults documentation) -======= - - # WARNING: Cannot safely be disabled once enabled. - # See: TBD ->>>>>>> 3eec2d1c9 (Update tests to use SecurityContextto account for enabling secure-pod-defaults) secure-pod-defaults: "enabled" # Indicates whether multi container support is enabled diff --git a/pkg/apis/serving/k8s_validation_test.go b/pkg/apis/serving/k8s_validation_test.go index 4674427e3929..2037212ef84e 100644 --- a/pkg/apis/serving/k8s_validation_test.go +++ b/pkg/apis/serving/k8s_validation_test.go @@ -108,27 +108,6 @@ func withPodSpecSecurityContextEnabled() configOption { } } -func withPodSpecSecurityContextDisabled() configOption { - return func(cfg *config.Config) *config.Config { - cfg.Features.PodSpecSecurityContext = config.Disabled - return cfg - } -} - -func withSecurePodDefaultsDisabled() configOption { - return func(cfg *config.Config) *config.Config { - cfg.Features.SecurePodDefaults = config.Disabled - return cfg - } -} - -func withSecurePodDefaultsEnabled() configOption { - return func(cfg *config.Config) *config.Config { - cfg.Features.SecurePodDefaults = config.Enabled - return cfg - } -} - func withContainerSpecAddCapabilitiesEnabled() configOption { return func(cfg *config.Config) *config.Config { cfg.Features.ContainerSpecAddCapabilities = config.Enabled @@ -1286,16 +1265,6 @@ func TestPodSpecFeatureValidation(t *testing.T) { Paths: []string{"runtimeClassName"}, }, cfgOpts: []configOption{withPodSpecRuntimeClassNameEnabled()}, - }, { - name: "PodSpecSecurityContext", - featureSpec: corev1.PodSpec{ - SecurityContext: &corev1.PodSecurityContext{}, - }, - err: &apis.FieldError{ - Message: "must not set the field(s)", - Paths: []string{"securityContext"}, - }, - cfgOpts: []configOption{withPodSpecSecurityContextEnabled(), withSecurePodDefaultsDisabled()}, }, { name: "PriorityClassName", featureSpec: corev1.PodSpec{ @@ -3037,93 +3006,67 @@ func TestPodSpecSecurityContextValidation(t *testing.T) { } } -// func TestPodSpecSecurityContextFeatureValidation(t *testing.T) { -// // test relationship between SecurePodDefaults and PodSpecSecurityContext -// featureData := struct { -// name string -// featureSpec corev1.PodSpec -// cfgOpts []configOption -// err *apis.FieldError -// errLevel apis.DiagnosticLevel -// }{ -// name: "PodSpecSecurityContext", -// featureSpec: corev1.PodSpec{ -// SecurityContext: &corev1.PodSecurityContext{}, -// }, -// err: &apis.FieldError{ -// Message: "must not set the field(s)", -// Paths: []string{"securityContext"}, -// }, -// cfgOpts: []configOption{withPodSpecSecurityContextEnabled(), withSecurePodDefaultsDisabled()}, -// }{ -// name: "SecurePodDefaults", -// featureSpec: corev1.PodSpec{ -// SecurityContext: &corev1.PodSecurityContext{}, -// }, -// err: &apis.FieldError{ -// Message: "must not set the field(s)", -// Paths: []string{"securityContext"}, -// }, -// cfgOpts: []configOption{withPodSpecSecurityContextEnabled(), withSecurePodDefaultsDisabled()}, -// } +func TestSecurityContextSecurePodDefaultsFeatureValidation(t *testing.T) { + tests := []struct { + name string + sc *corev1.PodSecurityContext + err *apis.FieldError + errLevel apis.DiagnosticLevel + cfgOpts *config.Config + }{{ + name: "SecurePodDefaults off, PodSpecSecurityContext off", + sc: &corev1.PodSecurityContext{}, + cfgOpts: &config.Config{ + Features: &config.Features{ + SecurePodDefaults: config.Disabled, + PodSpecSecurityContext: config.Disabled, + }, + }, + }, { + name: "SecurePodDefaults off, PodSpecSecurityContext on", + sc: &corev1.PodSecurityContext{ + RunAsNonRoot: ptr.Bool(false), + }, + cfgOpts: &config.Config{ + Features: &config.Features{ + SecurePodDefaults: config.Disabled, + PodSpecSecurityContext: config.Enabled, + }, + }, + }, { + name: "SecurePodDefaults on, PodSpecSecurityContext off", + sc: &corev1.PodSecurityContext{ + SeccompProfile: &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + }, + }, + cfgOpts: &config.Config{ + Features: &config.Features{ + SecurePodDefaults: config.Enabled, + PodSpecSecurityContext: config.Disabled, + }, + }, + }, { + name: "SecurePodDefaults on, PodSpecSecurityContext on", + sc: &corev1.PodSecurityContext{}, + cfgOpts: &config.Config{ + Features: &config.Features{ + SecurePodDefaults: config.Enabled, + PodSpecSecurityContext: config.Enabled, + }, + }, + }} -// featureTests := []struct { -// nameTemplate string -// enableFeature bool -// includeFeatureSpec bool -// wantError bool -// }{{ -// nameTemplate: "flag disabled: %s not present", -// enableFeature: false, -// includeFeatureSpec: false, -// wantError: false, -// }, { -// nameTemplate: "flag disabled: %s present", -// enableFeature: false, -// includeFeatureSpec: true, -// wantError: false, -// }, { -// nameTemplate: "flag enabled: %s not present", -// enableFeature: true, -// includeFeatureSpec: false, -// wantError: false, -// }, { -// nameTemplate: "flag enabled: %s present", -// enableFeature: true, -// includeFeatureSpec: true, -// wantError: false, -// }} + for _, test := range tests { + ctx := config.ToContext(context.Background(), test.cfgOpts) -// for _, test := range featureTests { -// t.Run(fmt.Sprintf(test.nameTemplate, featureData.name), func(t *testing.T) { -// ctx := context.Background() -// obj := corev1.PodSpec{ -// Containers: []corev1.Container{{ -// Image: "busybox", -// }}, -// } -// want := &apis.FieldError{} -// if test.wantError { -// want = featureData.err -// } -// if test.enableFeature { -// cfg := config.FromContextOrDefaults(ctx) -// for _, opt := range featureData.cfgOpts { -// cfg = opt(cfg) -// } -// ctx = config.ToContext(ctx, cfg) -// } -// if test.includeFeatureSpec { -// obj = featureData.featureSpec -// obj.Containers = []corev1.Container{{ -// Image: "busybox", -// }} -// } -// got := ValidatePodSpec(ctx, obj) -// got = got.Filter(featureData.errLevel) -// if diff := cmp.Diff(want.Error(), got.Error()); diff != "" { -// t.Errorf("ValidatePodSpec (-want, +got): \n%s", diff) -// } -// }) -// } -// } + t.Run(test.name, func(t *testing.T) { + got := ValidatePodSecurityContext(ctx, test.sc) + got.Filter(test.errLevel) + if diff := cmp.Diff(test.err.Error(), got.Error()); diff != "" { + t.Errorf("ValidatePodSecurityContext(-want, +got): \n%s", diff) + } + }) + } + +} From 631855bd29ba557a52e4a510a5b1567f9d10f600 Mon Sep 17 00:00:00 2001 From: Kauana dos Santos Date: Thu, 28 Sep 2023 22:33:34 -0700 Subject: [PATCH 5/6] run update-codegen.sh --- config/core/configmaps/features.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/core/configmaps/features.yaml b/config/core/configmaps/features.yaml index c0cd255a6503..7dcf64f361ed 100644 --- a/config/core/configmaps/features.yaml +++ b/config/core/configmaps/features.yaml @@ -22,7 +22,7 @@ metadata: app.kubernetes.io/component: controller app.kubernetes.io/version: devel annotations: - knative.dev/example-checksum: "4c668645" + knative.dev/example-checksum: "3c7d91f6" data: _example: |- ################################ From a3204f1edb81b7194712de846d76c474c11a812d Mon Sep 17 00:00:00 2001 From: Kauana dos Santos Date: Fri, 29 Sep 2023 08:30:46 -0700 Subject: [PATCH 6/6] temp. add enable_gke_telemetry var --- test/e2e-common.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/test/e2e-common.sh b/test/e2e-common.sh index e65224de4baa..8ba892dde59f 100644 --- a/test/e2e-common.sh +++ b/test/e2e-common.sh @@ -29,6 +29,7 @@ export GATEWAY_API_VERSION=${GATEWAY_API_VERSION:-""} export CERTIFICATE_CLASS=${CERTIFICATE_CLASS:-""} # Only build linux/amd64 bit images export KO_FLAGS="${KO_FLAGS:---platform=linux/amd64}" +export ENABLE_GKE_TELEMETRY=true export RUN_HTTP01_AUTO_TLS_TESTS=${RUN_HTTP01_AUTO_TLS_TESTS:-0} export HTTPS=${HTTPS:-0}