Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make Restricted PSS security context work together with agent injection #1624

Merged
merged 1 commit into from
Dec 2, 2024
Merged

Make Restricted PSS security context work together with agent injection #1624

merged 1 commit into from
Dec 2, 2024

Conversation

Vlatombe
Copy link
Member

@Vlatombe Vlatombe commented Dec 2, 2024

When using both agentInjection: true and the checkbox "Inject restricted PSS security context in agent container definition" in an environment using restricted PSS, then the resulting pod can't be scheduled because the init container doesn't have the proper security context set.

This modifies the existing PSS logic to decorate as well init containers.

Testing done

Submitter checklist

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Ensure you have provided tests - that demonstrates feature works or fixes the issue

@Vlatombe Vlatombe added the bug Bug Fixes label Dec 2, 2024
@Vlatombe Vlatombe requested a review from a team as a code owner December 2, 2024 16:29
Vlatombe
Vlatombe commented Dec 2, 2024
View reviewed changes
src/test/java/org/csanchez/jenkins/plugins/kubernetes/AbstractGoldenFileTest.java
Comment on lines +30 to +33
assertEquals(name + "-before.yaml is not normalized", Serialization.asYaml(before), beforeYAML);
var afterYAML = loadFileAsStream(name + "-after.yaml");
var after = decorator.decorate(cloud, before);
assertEquals(name + "-after.yaml processed", afterYAML, Serialization.asYaml(after));
assertEquals(name + "-after.yaml processed", Serialization.asYaml(after), afterYAML);
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

expected and actual were inverted.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe clearer to use assertThat(actual, is(expected))

@Vlatombe Vlatombe merged commit d82c569 into jenkinsci:master Dec 2, 2024
9 checks passed
@Vlatombe Vlatombe deleted the restricted-pss-security-context-agentInjection branch December 2, 2024 16:59
jglick
jglick reviewed Dec 2, 2024
View reviewed changes
src/main/java/org/csanchez/jenkins/plugins/kubernetes/RestrictedPssSecurityContextInjector.java
}

private static void secure(@NonNull Container container) {
var securityContext = container.getSecurityContext();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(ignore WS)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jglick jglick jglick left review comments

@amuniz amuniz amuniz approved these changes

Assignees
No one assigned
Labels
bug Bug Fixes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Vlatombe @jglick @amuniz