Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨ adding comment one the scaffolds to clarifies for common cases that do not require escalating privileges is recommended the Pods/containers be restrictive #2720

Merged
merged 2 commits into from
Jun 13, 2022
Merged

✨ adding comment one the scaffolds to clarifies for common cases that do not require escalating privileges is recommended the Pods/containers be restrictive #2720

merged 2 commits into from
Jun 13, 2022

Conversation

camilamacedo86
Copy link
Member

@camilamacedo86 camilamacedo86 commented Jun 13, 2022
edited
Loading

Description
On the PR: #2700 we make all containers restrictive by default. However, it might not work on some vendors and versions.

In this way, for now, it seems the best approach to have the changes comment and warn the users.

Motivation

Help users avoid issues and check their Pods/containers not working on old cluster versions that do not support the current recommendations for good practices.

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jun 13, 2022
@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 13, 2022
@camilamacedo86 camilamacedo86 changed the title :sparkling: adding comment one the scaffolds to warn users about the seccomp spec field usage ❇️ : adding comment one the scaffolds to warn users about the seccomp spec field usage Jun 13, 2022
@camilamacedo86 camilamacedo86 changed the title ❇️ : adding comment one the scaffolds to warn users about the seccomp spec field usage sparkles : adding comment one the scaffolds to warn users about the seccomp spec field usage Jun 13, 2022
@camilamacedo86 camilamacedo86 changed the title sparkles : adding comment one the scaffolds to warn users about the seccomp spec field usage ✨ adding comment one the scaffolds to warn users about the seccomp spec field usage Jun 13, 2022
@camilamacedo86
Copy link
Member Author

/hold

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 13, 2022
@camilamacedo86
Copy link
Member Author

/test pull-kubebuilder-e2e-k8s-1-24-1

1 similar comment
@camilamacedo86
Copy link
Member Author

/test pull-kubebuilder-e2e-k8s-1-24-1

@camilamacedo86
Copy link
Member Author

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 13, 2022
@camilamacedo86
Copy link
Member Author

/hold

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 13, 2022
@everettraven everettraven mentioned this pull request Jun 13, 2022
Closed
@camilamacedo86
Copy link
Member Author

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 13, 2022
@kubernetes-sigs kubernetes-sigs deleted a comment from k8s-ci-robot Jun 13, 2022
@camilamacedo86 camilamacedo86 force-pushed the seccomp branch 3 times, most recently from f942dc8 to fe6424e Compare June 13, 2022 15:23
everettraven
everettraven suggested changes Jun 13, 2022
View reviewed changes
Copy link
Contributor

@everettraven everettraven left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just some minor wording tweaks

pkg/plugins/common/kustomize/v1/scaffolds/internal/templates/config/manager/config.go Outdated Show resolved Hide resolved
@camilamacedo86 camilamacedo86 force-pushed the seccomp branch 2 times, most recently from 5141145 to c092685 Compare June 13, 2022 15:35
@camilamacedo86
Copy link
Member Author

/hold

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 13, 2022
everettraven
everettraven approved these changes Jun 13, 2022
View reviewed changes
Copy link
Contributor

@everettraven everettraven left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot
Copy link
Contributor

@everettraven: changing LGTM is restricted to collaborators

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@everettraven
Copy link
Contributor

everettraven commented Jun 13, 2022
edited
Loading

@camilamacedo86 I think that Prow test failure is related to using an older version of KinD.

I think this:

kubebuilder/test/common.sh

Line 51 in eea565c

kind_version=0.11.1

Needs to be:

kind_version=0.14.0

For further reference, we encountered this issue in SDK: operator-framework/operator-sdk#5835 (comment)

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jun 13, 2022
@camilamacedo86 camilamacedo86 changed the title ✨ adding comment one the scaffolds to warn users about the seccomp spec field usage ✨ adding comment one the scaffolds to clarifies for common cases that do not require escalating privileges is recommended the Pods/containers be restrictive Jun 13, 2022
@camilamacedo86
Copy link
Member Author

/test pull-kubebuilder-e2e-k8s-1-24-1

@camilamacedo86
Copy link
Member Author

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 13, 2022
everettraven
everettraven approved these changes Jun 13, 2022
View reviewed changes
Copy link
Contributor

@everettraven everettraven left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: camilamacedo86, everettraven

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@camilamacedo86
Copy link
Member Author

/test pull-kubebuilder-e2e-k8s-1-24-1

@camilamacedo86 camilamacedo86 added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 13, 2022
@k8s-ci-robot
Copy link
Contributor

@camilamacedo86: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-kubebuilder-e2e-k8s-1-18-8 6eb0be1 link false /test pull-kubebuilder-e2e-k8s-1-18-8
pull-kubebuilder-e2e-k8s-1-19-4 6eb0be1 link false /test pull-kubebuilder-e2e-k8s-1-19-4
pull-kubebuilder-e2e-k8s-1-17-11 6eb0be1 link false /test pull-kubebuilder-e2e-k8s-1-17-11
pull-kubebuilder-e2e-k8s-1-24-1 6eb0be1 link false /test pull-kubebuilder-e2e-k8s-1-24-1

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@k8s-ci-robot k8s-ci-robot merged commit 57aed3f into kubernetes-sigs:master Jun 13, 2022
@camilamacedo86 camilamacedo86 deleted the seccomp branch June 14, 2022 09:43
@everettraven everettraven mentioned this pull request Jun 24, 2022
Closed
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@everettraven everettraven everettraven approved these changes

@joelanford joelanford Awaiting requested review from joelanford

@pwittrock pwittrock Awaiting requested review from pwittrock

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@camilamacedo86 @k8s-ci-robot @everettraven