-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
operator: Adapt to k8s-1.25 security restrictions #1401
operator: Adapt to k8s-1.25 security restrictions #1401
Conversation
Signed-off-by: Enrique Llorente <ellorent@redhat.com>
Kudos, SonarCloud Quality Gate passed! 0 Bugs No Coverage information |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
v2 SCC policies requires you to:
- either leave SeccompProfile empty or set it to runtime/default
- always drop ALL. V1 only dropped KILL, MKNOD, SETUID, SETGID capabilities.
- not use allowPrivilegeEscalation=true
Couldn't you have omitted the SeccompProfile
on the pod section ?...
According to the discussion, it should have been possible.
Not seting it throws a warning with
|
Hm, how about that ... Would we want to raise it in the linked discussion ?... I'm OK w/ approving this then. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please consider if we want to provide feedback to in the discussion about this, since something seems to be amiss.
Let's get the warning gone first, we can improve the situation later on. |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: phoracek The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/cherry-pick release-0.76 |
@phoracek: new pull request created: #1404 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/cherry-pick release-0.65 |
@qinqon: #1401 failed to apply on top of branch "release-0.65":
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What this PR does / why we need it:
When deployed at some clusters based on k8s 1.25 the operator get the following error
To fix that the pod and container security context for the operator is fixed following instructions at redhat-openshift-ecosystem/community-operators-prod#1417.
Release note: