Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(helm): set readOnlyRootFilesystem on CNI, more explicit templates #6604

Merged
merged 4 commits into from
Apr 25, 2023
Merged

feat(helm): set readOnlyRootFilesystem on CNI, more explicit templates #6604

merged 4 commits into from
Apr 25, 2023

Conversation

michaelbeaumont
Copy link
Contributor

@michaelbeaumont michaelbeaumont commented Apr 24, 2023
edited
Loading

Also make the runAsNonRoot: false more visible.

Checklist prior to review

  • Link to relevant issue as well as docs and UI issues --
  • This will not break child repos: it doesn't hardcode values (.e.g "kumahq" as a image registry) and it will work on Windows, system specific functions like syscall.Mkfifo have equivalent implementation on the other OS --
  • Tests (Unit test, E2E tests, manual test on universal and k8s) --
  • Do you need to update UPGRADE.md? --
  • Does it need to be backported according to the backporting policy? --
  • Do you need to explicitly set a > Changelog: entry here or add a ci/ label to run fewer/more tests?

@michaelbeaumont
feat(helm): set readOnlyRootFilesystem on CNI, be more explicit
825437b 
Signed-off-by: Mike Beaumont <mjboamail@gmail.com>
@michaelbeaumont michaelbeaumont force-pushed the feat/helm_readonlyroot branch from a14ec59 to ac0e856 Compare April 24, 2023 16:37
@michaelbeaumont michaelbeaumont changed the title feat(helm): set readOnlyRootFilesystem on CNI feat(helm): set readOnlyRootFilesystem on CNI, more explicit templates Apr 24, 2023
@michaelbeaumont michaelbeaumont force-pushed the feat/helm_readonlyroot branch from ac0e856 to 72389cd Compare April 24, 2023 16:39
@michaelbeaumont
docs: regenerate
01ad6ce 
Signed-off-by: Mike Beaumont <mjboamail@gmail.com>
@michaelbeaumont
ci(helm): remove kube-linter ignore annotations
f9e4f17 
Signed-off-by: Mike Beaumont <mjboamail@gmail.com>
@michaelbeaumont
chore: generate
3d99407 
Signed-off-by: Mike Beaumont <mjboamail@gmail.com>
@michaelbeaumont michaelbeaumont force-pushed the feat/helm_readonlyroot branch from 7669be1 to 3d99407 Compare April 24, 2023 20:47
@michaelbeaumont michaelbeaumont marked this pull request as ready for review April 24, 2023 22:24
@michaelbeaumont michaelbeaumont requested review from a team, bartsmykla and lobkovilya and removed request for a team April 24, 2023 22:24
@bartsmykla
Copy link
Contributor

bartsmykla commented Apr 25, 2023
edited
Loading

Hmm. Doesn't readOnlyRootFilesystem prevent CNI installer to put plugin files in appropriate places? I couldn't find any good documentation of this setting.

@michaelbeaumont
Copy link
Contributor Author

@bartsmykla It's really only about the root filesystem, I think the plugin is installed on the volumes mounted from the host.

@bartsmykla
Copy link
Contributor

Got it

@michaelbeaumont michaelbeaumont merged commit 9e56917 into kumahq:master Apr 25, 2023
@michaelbeaumont michaelbeaumont deleted the feat/helm_readonlyroot branch April 25, 2023 07:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bartsmykla bartsmykla bartsmykla approved these changes

@lobkovilya lobkovilya Awaiting requested review from lobkovilya

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@michaelbeaumont @bartsmykla