-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCPBUGS-1666: Expose flag to enable/disable PodSecurity #6062
Conversation
41fd64f
to
910d990
Compare
Fixes a few issues upstream and downstream: |
If you pass in an unsupported option you get the help message:
|
When restricted is enabled, the pod will have the seccompProfile set on it.
|
if legacy is enabled then no seccompprofile is added to the Pod.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a teeny nit on the changelog. Also need to run make generate
to update the CLI docs with the latest changes.
Added --security-context-config flag to enable seccompprofile. It defaults to enabled to support k8s 1.25. You can disable it with --security-context-config=legacy Signed-off-by: jesus m. rodriguez <jesusr@redhat.com>
* Ignoring error from Set call in test * Update .cncf maintainers * Update run bundle(-upgrade) CLI docs Signed-off-by: jesus m. rodriguez <jmrodri@gmail.com>
This was being duplicated because we had it in the text but were not setting the value to a default value. Once we set the value to the default cobra realized this and would output "(default: restricted)". So removing the manually entered text fixes the duplicate. Signed-off-by: jesus m. rodriguez <jesusr@redhat.com>
662a486
to
e67aa04
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/cherry-pick v1.24.x |
@jmrodri: new pull request created: #6080 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
…text Add a parameter to let the users specify a value for --security-context-config (legacy/restricted, default restricted) to by used by the operator-sdk for its catalog pod. See: operator-framework/operator-sdk#6062 Signed-off-by: Simone Tiraboschi <stirabos@redhat.com>
…text (#41134) Add a parameter to let the users specify a value for --security-context-config (legacy/restricted, default restricted) to by used by the operator-sdk for its catalog pod. See: operator-framework/operator-sdk#6062 Signed-off-by: Simone Tiraboschi <stirabos@redhat.com>
Description of the change:
Added --security-context-config flag to enable seccompprofile. It defaults to enabled to support k8s 1.25. You can disable it with --security-context-config=legacy
Signed-off-by: jesus m. rodriguez jesusr@redhat.com
Motivation for the change:
In k8s 1.25 PodSecurityAdmission is enabled. https://kubernetes.io/blog/2022/08/04/upcoming-changes-in-kubernetes-1-25/#podsecuritypolicy-removal
Fixes a few issues found downstream but affect upstream as well:
Checklist
If the pull request includes user-facing changes, extra documentation is required:
changelog/fragments
(seechangelog/fragments/00-template.yaml
)website/content/en/docs