diff --git a/docs/cmd/kn_container_add.md b/docs/cmd/kn_container_add.md index b5da00cd24..8a53f032b8 100644 --- a/docs/cmd/kn_container_add.md +++ b/docs/cmd/kn_container_add.md @@ -47,7 +47,7 @@ kn container add NAME --pull-policy string Image pull policy. Valid values (case insensitive): Always | Never | IfNotPresent --pull-secret string Image pull secret to set. An empty argument ("") clears the pull secret. The referenced secret must exist in the service's namespace. --request strings The resource requirement requests for this Service. For example, 'cpu=100m,memory=256Mi'. You can use this flag multiple times. To unset a resource request, append "-" to the resource name, e.g. '--request cpu-'. - --security-context string Security Context definition to be added the service. Accepted values: strict | none. (default "strict") + --security-context string Predefined security context for the service. Accepted values: 'none' for no security context and 'strict' for dropping all capabilities, running as non-root, and no privilege escalation. (default "none") --service-account string Service account name to set. An empty argument ("") clears the service account. The referenced service account must exist in the service's namespace. --user int The user ID to run the container (e.g., 1001). ``` diff --git a/docs/cmd/kn_service_apply.md b/docs/cmd/kn_service_apply.md index 81221844d8..29d10d9f2f 100644 --- a/docs/cmd/kn_service_apply.md +++ b/docs/cmd/kn_service_apply.md @@ -73,7 +73,7 @@ kn service apply s0 --filename my-svc.yml --scale-target int Recommendation for what metric value the PodAutoscaler should attempt to maintain. Use with --scale-metric flag to configure the metric name for which the target value should be maintained. Default metric name is concurrency. The flag defaults to --concurrency-limit when given. --scale-utilization int Percentage of concurrent requests utilization before scaling up. (default 70) --scale-window string Duration to look back for making auto-scaling decisions. The service is scaled to zero if no request was received in during that time. (eg: 10s) - --security-context string Security Context definition to be added the service. Accepted values: strict | none. (default "strict") + --security-context string Predefined security context for the service. Accepted values: 'none' for no security context and 'strict' for dropping all capabilities, running as non-root, and no privilege escalation. (default "none") --service-account string Service account name to set. An empty argument ("") clears the service account. The referenced service account must exist in the service's namespace. --timeout int Duration in seconds that the request routing layer will wait for a request delivered to a container to begin replying (default 300) --user int The user ID to run the container (e.g., 1001). diff --git a/docs/cmd/kn_service_create.md b/docs/cmd/kn_service_create.md index e2e1c0029b..2a5d030a5a 100644 --- a/docs/cmd/kn_service_create.md +++ b/docs/cmd/kn_service_create.md @@ -98,7 +98,7 @@ kn service create NAME --image IMAGE --scale-target int Recommendation for what metric value the PodAutoscaler should attempt to maintain. Use with --scale-metric flag to configure the metric name for which the target value should be maintained. Default metric name is concurrency. The flag defaults to --concurrency-limit when given. --scale-utilization int Percentage of concurrent requests utilization before scaling up. (default 70) --scale-window string Duration to look back for making auto-scaling decisions. The service is scaled to zero if no request was received in during that time. (eg: 10s) - --security-context string Security Context definition to be added the service. Accepted values: strict | none. (default "strict") + --security-context string Predefined security context for the service. Accepted values: 'none' for no security context and 'strict' for dropping all capabilities, running as non-root, and no privilege escalation. (default "none") --service-account string Service account name to set. An empty argument ("") clears the service account. The referenced service account must exist in the service's namespace. --tag strings Set tag (format: --tag revisionRef=tagName) where revisionRef can be a revision or '@latest' string representing latest ready revision. This flag can be specified multiple times. --target string Work on local directory instead of a remote cluster (experimental) diff --git a/docs/cmd/kn_service_update.md b/docs/cmd/kn_service_update.md index 3aa6b2d573..1142e6b193 100644 --- a/docs/cmd/kn_service_update.md +++ b/docs/cmd/kn_service_update.md @@ -85,7 +85,7 @@ kn service update NAME --scale-target int Recommendation for what metric value the PodAutoscaler should attempt to maintain. Use with --scale-metric flag to configure the metric name for which the target value should be maintained. Default metric name is concurrency. The flag defaults to --concurrency-limit when given. --scale-utilization int Percentage of concurrent requests utilization before scaling up. (default 70) --scale-window string Duration to look back for making auto-scaling decisions. The service is scaled to zero if no request was received in during that time. (eg: 10s) - --security-context string Security Context definition to be added the service. Accepted values: strict | none. (default "strict") + --security-context string Predefined security context for the service. Accepted values: 'none' for no security context and 'strict' for dropping all capabilities, running as non-root, and no privilege escalation. (default "none") --service-account string Service account name to set. An empty argument ("") clears the service account. The referenced service account must exist in the service's namespace. --tag strings Set tag (format: --tag revisionRef=tagName) where revisionRef can be a revision or '@latest' string representing latest ready revision. This flag can be specified multiple times. --target string Work on local directory instead of a remote cluster (experimental) diff --git a/docs/cmd/kn_source_container_create.md b/docs/cmd/kn_source_container_create.md index fac0aa0ad4..6cf1efe3fb 100644 --- a/docs/cmd/kn_source_container_create.md +++ b/docs/cmd/kn_source_container_create.md @@ -37,7 +37,7 @@ kn source container create NAME --image IMAGE --sink SINK --pull-policy string Image pull policy. Valid values (case insensitive): Always | Never | IfNotPresent --pull-secret string Image pull secret to set. An empty argument ("") clears the pull secret. The referenced secret must exist in the service's namespace. --request strings The resource requirement requests for this Service. For example, 'cpu=100m,memory=256Mi'. You can use this flag multiple times. To unset a resource request, append "-" to the resource name, e.g. '--request cpu-'. - --security-context string Security Context definition to be added the service. Accepted values: strict | none. (default "strict") + --security-context string Predefined security context for the service. Accepted values: 'none' for no security context and 'strict' for dropping all capabilities, running as non-root, and no privilege escalation. (default "none") --service-account string Service account name to set. An empty argument ("") clears the service account. The referenced service account must exist in the service's namespace. -s, --sink string Addressable sink for events. You can specify a broker, channel, Knative service or URI. Examples: '--sink broker:nest' for a broker 'nest', '--sink channel:pipe' for a channel 'pipe', '--sink ksvc:mysvc:mynamespace' for a Knative service 'mysvc' in another namespace 'mynamespace', '--sink https://event.receiver.uri' for an HTTP URI, '--sink ksvc:receiver' or simply '--sink receiver' for a Knative service 'receiver' in the current namespace. '--sink special.eventing.dev/v1alpha1/channels:pipe' for GroupVersionResource of v1alpha1 'pipe'. If a prefix is not provided, it is considered as a Knative service in the current namespace. --user int The user ID to run the container (e.g., 1001). diff --git a/docs/cmd/kn_source_container_update.md b/docs/cmd/kn_source_container_update.md index 57c21dfbc8..abfcc67060 100644 --- a/docs/cmd/kn_source_container_update.md +++ b/docs/cmd/kn_source_container_update.md @@ -37,7 +37,7 @@ kn source container update NAME --image IMAGE --pull-policy string Image pull policy. Valid values (case insensitive): Always | Never | IfNotPresent --pull-secret string Image pull secret to set. An empty argument ("") clears the pull secret. The referenced secret must exist in the service's namespace. --request strings The resource requirement requests for this Service. For example, 'cpu=100m,memory=256Mi'. You can use this flag multiple times. To unset a resource request, append "-" to the resource name, e.g. '--request cpu-'. - --security-context string Security Context definition to be added the service. Accepted values: strict | none. (default "strict") + --security-context string Predefined security context for the service. Accepted values: 'none' for no security context and 'strict' for dropping all capabilities, running as non-root, and no privilege escalation. (default "none") --service-account string Service account name to set. An empty argument ("") clears the service account. The referenced service account must exist in the service's namespace. -s, --sink string Addressable sink for events. You can specify a broker, channel, Knative service or URI. Examples: '--sink broker:nest' for a broker 'nest', '--sink channel:pipe' for a channel 'pipe', '--sink ksvc:mysvc:mynamespace' for a Knative service 'mysvc' in another namespace 'mynamespace', '--sink https://event.receiver.uri' for an HTTP URI, '--sink ksvc:receiver' or simply '--sink receiver' for a Knative service 'receiver' in the current namespace. '--sink special.eventing.dev/v1alpha1/channels:pipe' for GroupVersionResource of v1alpha1 'pipe'. If a prefix is not provided, it is considered as a Knative service in the current namespace. --user int The user ID to run the container (e.g., 1001). diff --git a/lib/test/service.go b/lib/test/service.go index a61ab046fa..deec4b81db 100644 --- a/lib/test/service.go +++ b/lib/test/service.go @@ -259,7 +259,6 @@ func BuildServiceWithOptions(name string, so ...servingtest.ServiceOption) *serv APIVersion: "serving.knative.dev/v1", } svc.Spec.Template.Spec.Containers[0].Resources = corev1.ResourceRequirements{} - svc.Spec.Template.Spec.Containers[0].SecurityContext = &corev1.SecurityContext{} return svc } @@ -302,7 +301,6 @@ func BuildRevision(name string, options ...servingtest.RevisionOption) *servingv rev.ObjectMeta.UID = "" rev.ObjectMeta.Generation = int64(0) rev.Spec.PodSpec.Containers[0].Resources = corev1.ResourceRequirements{} - rev.Spec.PodSpec.Containers[0].SecurityContext = &corev1.SecurityContext{} return rev } diff --git a/pkg/kn/commands/service/create_mock_test.go b/pkg/kn/commands/service/create_mock_test.go index 1465428161..67a83a6f23 100644 --- a/pkg/kn/commands/service/create_mock_test.go +++ b/pkg/kn/commands/service/create_mock_test.go @@ -18,8 +18,6 @@ import ( "testing" "time" - "knative.dev/client/pkg/kn/flags" - "knative.dev/serving/pkg/apis/autoscaling" "gotest.tools/v3/assert" @@ -479,7 +477,6 @@ func getService(name string) *servingv1.Service { Limits: corev1.ResourceList{}, Requests: corev1.ResourceList{}, }, - SecurityContext: flags.DefaultStrictSecCon(), }} return service diff --git a/pkg/kn/commands/source/container/container_test.go b/pkg/kn/commands/source/container/container_test.go index 1f431ee576..10dadf3259 100644 --- a/pkg/kn/commands/source/container/container_test.go +++ b/pkg/kn/commands/source/container/container_test.go @@ -20,8 +20,6 @@ import ( "bytes" "strings" - "knative.dev/client/pkg/kn/flags" - corev1 "k8s.io/api/core/v1" "k8s.io/client-go/tools/clientcmd" v1 "knative.dev/eventing/pkg/apis/sources/v1" @@ -94,7 +92,6 @@ func createContainerSource(name, image string, sink duckv1.Destination, ceo map[ Limits: corev1.ResourceList{}, Requests: corev1.ResourceList{}, }, - SecurityContext: flags.DefaultStrictSecCon(), }}}). Sink(sink). Build() diff --git a/pkg/kn/flags/podspec.go b/pkg/kn/flags/podspec.go index 9706771847..502cec14d5 100644 --- a/pkg/kn/flags/podspec.go +++ b/pkg/kn/flags/podspec.go @@ -237,7 +237,8 @@ func (p *PodSpecFlags) AddFlags(flagset *pflag.FlagSet) []string { flagset.Int64VarP(&p.User, "user", "", 0, "The user ID to run the container (e.g., 1001).") flagNames = append(flagNames, "user") - flagset.StringVar(&p.SecurityContext, "security-context", "strict", "Security Context definition to be added the service. Accepted values: strict | none.") + flagset.StringVar(&p.SecurityContext, "security-context", "none", "Predefined security context for the service. Accepted values: 'none' for no security context "+ + "and 'strict' for dropping all capabilities, running as non-root, and no privilege escalation.") flagNames = append(flagNames, "security-context") return flagNames @@ -415,10 +416,6 @@ func (p *PodSpecFlags) ResolvePodSpec(podSpec *corev1.PodSpec, flags *pflag.Flag if err := UpdateSecurityContext(podSpec, p.SecurityContext); err != nil { return err } - } else { - if err := UpdateSecurityContext(podSpec, ""); err != nil { - return err - } } return nil diff --git a/pkg/kn/flags/podspec_helper.go b/pkg/kn/flags/podspec_helper.go index 0434e753a5..862b7b7b89 100644 --- a/pkg/kn/flags/podspec_helper.go +++ b/pkg/kn/flags/podspec_helper.go @@ -386,15 +386,10 @@ func UpdateSecurityContext(spec *corev1.PodSpec, securityContext string) error { switch strings.ToLower(securityContext) { case "none": // Blank any Security Context defined - container.SecurityContext = &corev1.SecurityContext{} + container.SecurityContext = nil case "strict": // Add or update Security Context to default strict container.SecurityContext = DefaultStrictSecCon() - case "": - // Add default strict SC flag is not used, hence empty value - if container.SecurityContext == nil { - container.SecurityContext = DefaultStrictSecCon() - } //TODO(dsimansk): add parsing of SC options from the flag value default: return fmt.Errorf("invalid --security-context %s. Valid arguments: strict | none", securityContext) diff --git a/pkg/kn/flags/podspec_helper_test.go b/pkg/kn/flags/podspec_helper_test.go index bb4ef6ebf6..b9bac561f3 100644 --- a/pkg/kn/flags/podspec_helper_test.go +++ b/pkg/kn/flags/podspec_helper_test.go @@ -1506,16 +1506,7 @@ func TestUpdateSecurityContext(t *testing.T) { { name: "none", expected: &corev1.PodSpec{ - Containers: []corev1.Container{{ - SecurityContext: &corev1.SecurityContext{}}}, - }, - expectedError: nil, - }, - { - name: "", - expected: &corev1.PodSpec{ - Containers: []corev1.Container{ - {SecurityContext: DefaultStrictSecCon()}}, + Containers: []corev1.Container{{}}, }, expectedError: nil, }, diff --git a/pkg/kn/flags/podspec_test.go b/pkg/kn/flags/podspec_test.go index a12f478840..aaec95b799 100644 --- a/pkg/kn/flags/podspec_test.go +++ b/pkg/kn/flags/podspec_test.go @@ -44,7 +44,7 @@ func TestPodSpecFlags(t *testing.T) { Volume: []string{}, Arg: []string{}, Command: []string{}, - SecurityContext: "strict", + SecurityContext: "none", } flags := &PodSpecFlags{} testCmd := &cobra.Command{ @@ -223,7 +223,6 @@ containers: Limits: corev1.ResourceList{}, Requests: corev1.ResourceList{}, }, - SecurityContext: DefaultStrictSecCon(), }, { Name: "foo", @@ -398,7 +397,6 @@ func TestPodSpecResolveWithEnvFile(t *testing.T) { Limits: corev1.ResourceList{}, Requests: corev1.ResourceList{}, }, - SecurityContext: DefaultStrictSecCon(), }, }, } diff --git a/test/e2e/service_export_test.go b/test/e2e/service_export_test.go index 9bced1bda0..261a812f4f 100644 --- a/test/e2e/service_export_test.go +++ b/test/e2e/service_export_test.go @@ -53,7 +53,7 @@ func TestServiceExport(t *testing.T) { defer r.DumpIfFailed() t.Log("create service with byo revision") - serviceCreateWithOptions(r, "hello", "--revision-name", "rev1", "--security-context=none") + serviceCreateWithOptions(r, "hello", "--revision-name", "rev1") userImage := pkgtest.ImagePath("helloworld") if strings.Contains(userImage, "@") { @@ -233,7 +233,7 @@ func TestServiceExport(t *testing.T) { ), "--with-revisions", "--mode", "export", "-o", "yaml") t.Log("create and export service 'foo' and verify that serviceUID and configurationUID labels are absent") - serviceCreateWithOptions(r, "foo", "--security-context=none") + serviceCreateWithOptions(r, "foo") output := serviceExportOutput(r, "foo", "-o", "json") actSvc := servingv1.Service{} err = json.Unmarshal([]byte(output), &actSvc)