Enable Seccomp configuration #960

xpivarc · 2023-02-13T10:16:45Z

No description provided.

jean-edouard · 2023-02-13T15:14:05Z

cluster-provision/k8s/check-cluster-up.sh

@@ -94,6 +94,12 @@ export KUBEVIRTCI_GOCLI_CONTAINER=quay.io/kubevirtci/gocli:latest

            ${ksh} wait -n kubevirt kv kubevirt --for condition=Available --timeout 15m

+            if [ "${KUBEVIRT_PSA:-"false"}" == "true"]; then


Suggested change

if [ "${KUBEVIRT_PSA:-"false"}" == "true"]; then

if [ "${KUBEVIRT_PSA}" == "true" ]; then

A default value should not be necessary as long as you're using double quotes

There must be a space before the closing bracket

Kubevirt needs to run under custom profile or compliant runtime default in order to run without issues on PSA enabled clusters. Signed-off-by: L. Pivarc <[email protected]>

brianmcarey · 2023-02-15T11:18:49Z

/test check-provision-k8s-1.26-centos9

kubevirt-bot · 2023-02-15T11:38:36Z

@xpivarc: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
check-up-kind-1.23-vgpu	`ffdb838`	link	false	`/test check-up-kind-1.23-vgpu`

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

brianmcarey

/lgtm

/approve

This allows the conformance tests to run successfully against the 1.26 provider with PSA enabled.

kubevirt-bot · 2023-02-15T15:53:42Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: brianmcarey

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [brianmcarey]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[15b2c14 Refresh snapshot CRDs follow up for 1.26-centos9 provider](kubevirt/kubevirtci#947) [0163752 Enable Seccomp configuration](kubevirt/kubevirtci#960) [e037eb1 Adds note about CLI dependencies](kubevirt/kubevirtci#959) [9c37b86 k8s-1.24-psa: Remove leftovers](kubevirt/kubevirtci#956) ```release-note NONE ``` Signed-off-by: kubevirt-bot <[email protected]>

oshoval · 2023-02-20T08:22:08Z

cluster-provision/k8s/check-cluster-up.sh

@@ -94,6 +94,12 @@ export KUBEVIRTCI_GOCLI_CONTAINER=quay.io/kubevirtci/gocli:latest

            ${ksh} wait -n kubevirt kv kubevirt --for condition=Available --timeout 15m

+            if [ "${KUBEVIRT_PSA:-"false"}" == "true" ]; then


No need the default value please because we have it here already

kubevirtci/cluster-up/hack/common.sh

Line 25 in 31e5860

KUBEVIRT_PSA=${KUBEVIRT_PSA:-false}

Easier to read without it imo

./check-cluster-up.sh: line 97: KUBEVIRT_PSA: unbound variable

Not sure what you are suggesting...

ah ok it doesnt import this file, as it is check-up

so it is better please to set KUBEVIRT_PSA to either false or true in the section of check-cluster-up where we set all the rest, but not in the condition itself imo

[31e5860 vm based providers: Introduce robust stack provider](kubevirt/kubevirtci#954) [15b2c14 Refresh snapshot CRDs follow up for 1.26-centos9 provider](kubevirt/kubevirtci#947) [0163752 Enable Seccomp configuration](kubevirt/kubevirtci#960) [e037eb1 Adds note about CLI dependencies](kubevirt/kubevirtci#959) [9c37b86 k8s-1.24-psa: Remove leftovers](kubevirt/kubevirtci#956) ```release-note NONE ``` Signed-off-by: kubevirt-bot <[email protected]>

[656d01a centos8: set SELinux boolean that is now required for chardev access by containers](kubevirt/kubevirtci#968) [31e5860 vm based providers: Introduce robust stack provider](kubevirt/kubevirtci#954) [15b2c14 Refresh snapshot CRDs follow up for 1.26-centos9 provider](kubevirt/kubevirtci#947) [0163752 Enable Seccomp configuration](kubevirt/kubevirtci#960) [e037eb1 Adds note about CLI dependencies](kubevirt/kubevirtci#959) [9c37b86 k8s-1.24-psa: Remove leftovers](kubevirt/kubevirtci#956) ```release-note NONE ``` Signed-off-by: kubevirt-bot <[email protected]>

[1b9174d centos8: update SELinux policy version](kubevirt/kubevirtci#975) [e1cf770 robust stack: Fix sanity check](kubevirt/kubevirtci#970) [bc50e16 Add WFFC variation of rook-ceph-block](kubevirt/kubevirtci#967) [656d01a centos8: set SELinux boolean that is now required for chardev access by containers](kubevirt/kubevirtci#968) [31e5860 vm based providers: Introduce robust stack provider](kubevirt/kubevirtci#954) [15b2c14 Refresh snapshot CRDs follow up for 1.26-centos9 provider](kubevirt/kubevirtci#947) [0163752 Enable Seccomp configuration](kubevirt/kubevirtci#960) [e037eb1 Adds note about CLI dependencies](kubevirt/kubevirtci#959) [9c37b86 k8s-1.24-psa: Remove leftovers](kubevirt/kubevirtci#956) ```release-note NONE ``` Signed-off-by: Or Shoval <[email protected]>

[1b9174d centos8: update SELinux policy version](kubevirt/kubevirtci#975) [e1cf770 robust stack: Fix sanity check](kubevirt/kubevirtci#970) [bc50e16 Add WFFC variation of rook-ceph-block](kubevirt/kubevirtci#967) [656d01a centos8: set SELinux boolean that is now required for chardev access by containers](kubevirt/kubevirtci#968) [31e5860 vm based providers: Introduce robust stack provider](kubevirt/kubevirtci#954) [15b2c14 Refresh snapshot CRDs follow up for 1.26-centos9 provider](kubevirt/kubevirtci#947) [0163752 Enable Seccomp configuration](kubevirt/kubevirtci#960) [e037eb1 Adds note about CLI dependencies](kubevirt/kubevirtci#959) [9c37b86 k8s-1.24-psa: Remove leftovers](kubevirt/kubevirtci#956) ```release-note NONE ``` Signed-off-by: kubevirt-bot <[email protected]>

[1b9174d centos8: update SELinux policy version](kubevirt/kubevirtci#975) [e1cf770 robust stack: Fix sanity check](kubevirt/kubevirtci#970) [bc50e16 Add WFFC variation of rook-ceph-block](kubevirt/kubevirtci#967) [656d01a centos8: set SELinux boolean that is now required for chardev access by containers](kubevirt/kubevirtci#968) [31e5860 vm based providers: Introduce robust stack provider](kubevirt/kubevirtci#954) [15b2c14 Refresh snapshot CRDs follow up for 1.26-centos9 provider](kubevirt/kubevirtci#947) [0163752 Enable Seccomp configuration](kubevirt/kubevirtci#960) [e037eb1 Adds note about CLI dependencies](kubevirt/kubevirtci#959) [9c37b86 k8s-1.24-psa: Remove leftovers](kubevirt/kubevirtci#956) ```release-note NONE ``` Signed-off-by: Or Shoval <[email protected]>

kubevirt-bot added the dco-signoff: yes Indicates the PR's author has DCO signed all their commits. label Feb 13, 2023

kubevirt-bot requested review from jean-edouard and vladikr February 13, 2023 10:16

kubevirt-bot added the size/XS label Feb 13, 2023

xpivarc mentioned this pull request Feb 13, 2023

Allow to run conformance tests with default conf kubevirt/kubevirt#9167

Closed

xpivarc force-pushed the psa-conformance branch from ecd500f to 052411e Compare February 13, 2023 13:28

jean-edouard reviewed Feb 13, 2023

View reviewed changes

xpivarc force-pushed the psa-conformance branch 3 times, most recently from 9295354 to ffdb838 Compare February 15, 2023 11:16

Enable Seccomp configuration

ffdb838

Kubevirt needs to run under custom profile or compliant runtime default in order to run without issues on PSA enabled clusters. Signed-off-by: L. Pivarc <[email protected]>

brianmcarey approved these changes Feb 15, 2023

View reviewed changes

kubevirt-bot assigned brianmcarey Feb 15, 2023

kubevirt-bot added the lgtm Indicates that a PR is ready to be merged. label Feb 15, 2023

kubevirt-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 15, 2023

kubevirt-bot merged commit 0163752 into kubevirt:main Feb 15, 2023

kubevirt-bot mentioned this pull request Feb 17, 2023

Bump kubevirtci kubevirt/kubevirt#9208

Closed

oshoval reviewed Feb 20, 2023

View reviewed changes

oshoval mentioned this pull request Mar 6, 2023

Bump Kubevirtci, disable the custom SELinux policy and adapt for robust stack providers kubevirt/kubevirt#9375

Merged

jean-edouard mentioned this pull request Mar 6, 2023

Bump kubevirtci and disable the custom SELinux policy on all lanes kubevirt/kubevirt#9373

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Enable Seccomp configuration #960

Enable Seccomp configuration #960

xpivarc commented Feb 13, 2023

jean-edouard Feb 13, 2023

brianmcarey commented Feb 15, 2023

kubevirt-bot commented Feb 15, 2023 •

edited

Loading

brianmcarey left a comment

kubevirt-bot commented Feb 15, 2023

oshoval Feb 20, 2023

xpivarc Feb 20, 2023

oshoval Feb 20, 2023 •

edited

Loading

		@@ -94,6 +94,12 @@ export KUBEVIRTCI_GOCLI_CONTAINER=quay.io/kubevirtci/gocli:latest

		${ksh} wait -n kubevirt kv kubevirt --for condition=Available --timeout 15m

		if [ "${KUBEVIRT_PSA:-"false"}" == "true"]; then

	if [ "${KUBEVIRT_PSA:-"false"}" == "true"]; then
	if [ "${KUBEVIRT_PSA}" == "true" ]; then

Enable Seccomp configuration #960

Enable Seccomp configuration #960

Conversation

xpivarc commented Feb 13, 2023

jean-edouard Feb 13, 2023

Choose a reason for hiding this comment

brianmcarey commented Feb 15, 2023

kubevirt-bot commented Feb 15, 2023 • edited Loading

brianmcarey left a comment

Choose a reason for hiding this comment

kubevirt-bot commented Feb 15, 2023

oshoval Feb 20, 2023

Choose a reason for hiding this comment

xpivarc Feb 20, 2023

Choose a reason for hiding this comment

oshoval Feb 20, 2023 • edited Loading

Choose a reason for hiding this comment

kubevirt-bot commented Feb 15, 2023 •

edited

Loading

oshoval Feb 20, 2023 •

edited

Loading