Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pod Security Admission support for odo deploy #6679

Merged
merged 5 commits into from
Mar 28, 2023
Merged

Pod Security Admission support for odo deploy #6679

merged 5 commits into from
Mar 28, 2023

Conversation

feloy
Copy link
Contributor

@feloy feloy commented Mar 23, 2023

What type of PR is this:

/kind feature

What does this PR do / why we need it:

Which issue(s) this PR fixes:

Fixes #6339

PR acceptance criteria:

  • Unit test

  • Integration test

  • Documentation

How to test changes / Special notes to the reviewer:

@netlify
Copy link

netlify bot commented Mar 23, 2023
edited
Loading

Deploy Preview for odo-docusaurus-preview canceled.

Name Link
🔨 Latest commit 78d1a19
🔍 Latest deploy log https://app.netlify.com/sites/odo-docusaurus-preview/deploys/6422c805d49c6a000828c3c0

@openshift-ci openshift-ci bot added the kind/feature Categorizes issue as a feature request. For PRs, that means that the PR is the implementation label Mar 23, 2023
@openshift-ci openshift-ci bot requested review from anandrkskd and rm3l March 23, 2023 17:13
@odo-robot
Copy link

odo-robot bot commented Mar 23, 2023
edited
Loading

NoCluster Tests on commit 8841d99 finished successfully.
View logs: TXT HTML

@feloy feloy requested review from valaparthvi and removed request for anandrkskd March 23, 2023 17:19
@odo-robot
Copy link

odo-robot bot commented Mar 23, 2023
edited
Loading

Unit Tests on commit 8841d99 finished successfully.
View logs: TXT HTML

@odo-robot
Copy link

odo-robot bot commented Mar 23, 2023
edited
Loading

Validate Tests on commit 8841d99 finished successfully.
View logs: TXT HTML

@odo-robot
Copy link

odo-robot bot commented Mar 23, 2023
edited
Loading

Kubernetes Tests on commit 8841d99 finished successfully.
View logs: TXT HTML

@odo-robot
Copy link

odo-robot bot commented Mar 23, 2023
edited
Loading

Windows Tests (OCP) on commit 8841d99 finished with errors.
View logs: TXT HTML

@odo-robot
Copy link

odo-robot bot commented Mar 23, 2023
edited
Loading

OpenShift Tests on commit 8841d99 finished successfully.
View logs: TXT HTML

@feloy feloy closed this Mar 23, 2023
@feloy feloy reopened this Mar 23, 2023
@feloy feloy closed this Mar 23, 2023
@feloy feloy reopened this Mar 23, 2023
@feloy feloy closed this Mar 24, 2023
@feloy feloy reopened this Mar 24, 2023
@feloy feloy closed this Mar 24, 2023
@feloy feloy reopened this Mar 24, 2023
@feloy feloy changed the title Pod Security Admission support for odo deploy [WIP] Pod Security Admission support for odo deploy Mar 24, 2023
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. Required by Prow. label Mar 24, 2023
@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. Required by Prow. label Mar 24, 2023
@feloy feloy force-pushed the feature-6339/pod-security-admission branch from 137d67c to 55e3c86 Compare March 27, 2023 08:05
@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. Required by Prow. label Mar 27, 2023
@odo-robot
Copy link

odo-robot bot commented Mar 27, 2023
edited
Loading

OpenShift Unauthenticated Tests on commit 8841d99 finished successfully.
View logs: TXT HTML

@odo-robot
Copy link

odo-robot bot commented Mar 27, 2023
edited
Loading

Kubernetes Docs Tests on commit d0edfb6 finished successfully.
View logs: TXT HTML

@valaparthvi
Copy link
Contributor

The changes lgtm and it seems to be working fine, but what I am curious about is, why does it still show warning.

➜  go-deploy odo deploy
  __
 /  \__     Running the application in Deploy mode using nodejs-prj1-api-abhz Devfile
 \__/  \    Namespace: myns
 /  \__/    odo version: v3.8.0
 \__/

↪ Executing command:
 ◐  Executing command in container (command: deploy...W0327 16:33:12.911351   69916 warnings.go:70] would violate PodSecurity "restricted:latest": seccompProfile (pod or container "runtime" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
 ✓  Executing command in container (command: deploy-exec) [7s]

↪ Executing command:
 ◐  Executing command in container (command: deploy-exec-2)W0327 16:36:37.410775   70704 warnings.go:70] would violate PodSecurity "restricted:latest": seccompProfile (pod or container "runtime" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
 ✓  Executing command in container (command: deploy-exec-2) [7s]

Your Devfile has been successfully deployed

@feloy
Copy link
Contributor Author

feloy commented Mar 27, 2023

The changes lgtm and it seems to be working fine, but what I am curious about is, why does it still show warning.

@valaparthvi If you have only the "Warn" label on the namespace, the pod won't be modified (it will be modified only if the "enforce" label is set).

@feloy feloy changed the title [WIP] Pod Security Admission support for odo deploy Pod Security Admission support for odo deploy Mar 27, 2023
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. Required by Prow. label Mar 27, 2023
@feloy feloy closed this Mar 27, 2023
@feloy feloy reopened this Mar 27, 2023
@rm3l rm3l self-requested a review March 27, 2023 14:58
rm3l
rm3l requested changes Mar 28, 2023
View reviewed changes
tests/helper/component_podman.go Outdated Show resolved Hide resolved
feloy and others added 2 commits March 28, 2023 12:54
@feloy @rm3l
Update tests/helper/component_podman.go
dd52427 
Co-authored-by: Armel Soro <armel@rm3l.org>
@feloy
add test
78d1a19
@sonarqubecloud
Copy link

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

rm3l
rm3l approved these changes Mar 28, 2023
View reviewed changes
Copy link
Member

@rm3l rm3l left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the changes!

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. Required by Prow. label Mar 28, 2023
@feloy
Copy link
Contributor Author

feloy commented Mar 28, 2023

/override windows-integration-test/Windows-test

Non related failing test due to network error:

+ [FAILED] [21.675 seconds]
odo dev command tests [BeforeEach] when Devfile contains metadata.projectType invalid as a label value when odo deploy is executed should set the correct value in labels of deployed resources
  [BeforeEach] C:/Users/Administrator.ANSIBLE-TEST-VS/3514/tests/integration/cmd_dev_test.go:39
  [It] C:/Users/Administrator.ANSIBLE-TEST-VS/3514/tests/integration/cmd_dev_test.go:3283

  Timeline >>
  Created dir: C:\Users\Administrator.ANSIBLE-TEST-VS\AppData\Local\Temp\3899180349
  Created dir: C:\Users\Administrator.ANSIBLE-TEST-VS\AppData\Local\Temp\3694594853
  Setting KUBECONFIG=C:\Users\Administrator.ANSIBLE-TEST-VS\AppData\Local\Temp\3694594853\config
  Creating a new project: cmd-dev-test3283eho
  Running oc.exe with args [oc new-project cmd-dev-test3283eho] and odo env: []
  [oc] Unable to connect to the server: dial tcp 161.156.12.82:31700: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

@openshift-ci
Copy link

openshift-ci bot commented Mar 28, 2023

@feloy: Overrode contexts on behalf of feloy: windows-integration-test/Windows-test

In response to this:

/override windows-integration-test/Windows-test

Non related failing test due to network error:

+ [FAILED] [21.675 seconds]
odo dev command tests [BeforeEach] when Devfile contains metadata.projectType invalid as a label value when odo deploy is executed should set the correct value in labels of deployed resources
 [BeforeEach] C:/Users/Administrator.ANSIBLE-TEST-VS/3514/tests/integration/cmd_dev_test.go:39
 [It] C:/Users/Administrator.ANSIBLE-TEST-VS/3514/tests/integration/cmd_dev_test.go:3283

 Timeline >>
 Created dir: C:\Users\Administrator.ANSIBLE-TEST-VS\AppData\Local\Temp\3899180349
 Created dir: C:\Users\Administrator.ANSIBLE-TEST-VS\AppData\Local\Temp\3694594853
 Setting KUBECONFIG=C:\Users\Administrator.ANSIBLE-TEST-VS\AppData\Local\Temp\3694594853\config
 Creating a new project: cmd-dev-test3283eho
 Running oc.exe with args [oc new-project cmd-dev-test3283eho] and odo env: []
 [oc] Unable to connect to the server: dial tcp 161.156.12.82:31700: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-merge-robot openshift-merge-robot merged commit 163c164 into redhat-developer:main Mar 28, 2023
@rm3l rm3l mentioned this pull request Mar 30, 2023
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rm3l rm3l rm3l approved these changes

@valaparthvi valaparthvi Awaiting requested review from valaparthvi

Assignees

@rm3l rm3l

Labels
kind/feature Categorizes issue as a feature request. For PRs, that means that the PR is the implementation lgtm Indicates that a PR is ready to be merged. Required by Prow.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

PodSecurity Admission
4 participants
@feloy @valaparthvi @rm3l @openshift-merge-robot