Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow configuration of securityContext.Privileged explicitly to default value #15628

Closed
hernan-abi opened this issue Nov 25, 2024 · 3 comments · Fixed by #15643
Closed

Allow configuration of securityContext.Privileged explicitly to default value #15628

hernan-abi opened this issue Nov 25, 2024 · 3 comments · Fixed by #15643
Assignees
@KapilSareen
Labels
good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. kind/feature Well-understood/specified features, ready for coding.
Milestone
v1.17.0

Comments

@hernan-abi
Copy link

Describe the feature

Context:

Currently our services using knative serving have their securityContext field, privileged set to nil by default because this field is not allowed to be configured by the user. See:

serving/pkg/apis/serving/fieldmask.go

Line 716 in 3e45e8f

out.Privileged = nil

Setting this field to any value results in validation errors similar to the following:

(error: services.serving.knative.dev "xxxxxx" could not be patched: admission webhook "validation.webhook.serving.knative.dev" denied the request: validation failed: must not set the field(s): ...privileged)

The request:

Instead of a default nil, my team and I would like the ability to explicitly set this false. It results in the same behavior however the explicit false is more compliant with our security team and likely with other teams as well.

There was a GH discussion regarding the configuration of this field however it was ultimately decided against. See (#4130). The difference in my request is that I'm not requesting actual configuration but rather the ability to explicitly set the default value e.g. false.
The same was done previously for the automountServiceAccountToken field. After the merge the value is not actually configurable, but rather is allowed to be set only to false by the user. See: #11723 (comment)
@hernan-abi hernan-abi added the kind/feature Well-understood/specified features, ready for coding. label Nov 25, 2024
@skonto
Copy link
Contributor

skonto commented Nov 26, 2024

Hi @hernan-abi,

is more compliant with our security team and likely with other teams as well.

Would be interested to list your company in the adopters list here if you already use Knative?
Would you be interested in doing the PR?

cc @dprotaso any objection on the issue?

@skonto skonto added the good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. label Nov 26, 2024
@KapilSareen
Copy link
Contributor

/assign

@KapilSareen KapilSareen mentioned this issue Dec 2, 2024
Merged
@KapilSareen
Copy link
Contributor

Hey @skonto, can you please review this PR?

@dprotaso dprotaso added this to the v1.17.0 milestone Dec 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@KapilSareen KapilSareen

Labels
good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. kind/feature Well-understood/specified features, ready for coding.
Projects
None yet
Milestone
v1.17.0
Development

Successfully merging a pull request may close this issue.

Allow securityContext.Privileged to be configurable KapilSareen/serving
4 participants
@dprotaso @skonto @KapilSareen @hernan-abi