ApiServerSource creates receive adapter deployments dynamically without setting SecurityContext #6787
Assignees
Labels
kind/bug
Categorizes issue or PR as related to a bug.
Comments
|
/cc @evankanderson FYI |
|
I'm not sure we have a consistent pattern for enhancing these created deployments, so it's not surprising we might miss some things. |
|
/assign matzew |
5 tasks
|
@evankanderson I saw that for serving you introduced a feature-flag, but the config there is generally more broad. For our internal deployment, I am thinking to just add the bits, similar to the static manifests we updated late 2022. |
knative-prow bot
pushed a commit
that referenced
this issue
Mar 3, 2023
…ent (#6788) Fixes #6787 <!-- Please include the 'why' behind your changes if no issue exists --> ## Proposed Changes <!-- Please categorize your changes: - 🎁 Add new feature - 🐛 Fix bug - 🧹 Update or clean up current behavior - 🗑️ Remove feature or internal logic --> - similar to our static manifests we set the required SC bits (see: #6533), except SeccompProfile ### Pre-review Checklist <!-- If these boxes are not checked, you will be asked to complete these requirements or explain why they do not apply to your PR. --> - [ ] **At least 80% unit test coverage** - [ ] **E2E tests** for any new behavior - [ ] **Docs PR** for any user-facing impact - [ ] **Spec PR** for any new API feature - [ ] **Conformance test** for any change to the spec **Release Note** <!-- :page_facing_up: If this change has user-visible impact, write a release note in the block below. Include the string "action required" if additional action is required of users switching to the new release, for example in case of a breaking change. Write as if you are speaking to users, not other Knative contributors. If this change has no user-visible impact, no release note is needed. --> ```release-note SecurityContext settings for ApiServerSource's Receive Adapter's container/deployment ``` **Docs** <!-- :book: If this change has user-visible impact, link to an issue or PR in https://github.com/knative/docs. --> Signed-off-by: Matthias Wessendorf <mwessend@redhat.com>
vishal-chdhry
pushed a commit
to vishal-chdhry/eventing
that referenced
this issue
Mar 14, 2023
…ent (knative#6788) Fixes knative#6787 <!-- Please include the 'why' behind your changes if no issue exists --> ## Proposed Changes <!-- Please categorize your changes: - 🎁 Add new feature - 🐛 Fix bug - 🧹 Update or clean up current behavior - 🗑️ Remove feature or internal logic --> - similar to our static manifests we set the required SC bits (see: knative#6533), except SeccompProfile ### Pre-review Checklist <!-- If these boxes are not checked, you will be asked to complete these requirements or explain why they do not apply to your PR. --> - [ ] **At least 80% unit test coverage** - [ ] **E2E tests** for any new behavior - [ ] **Docs PR** for any user-facing impact - [ ] **Spec PR** for any new API feature - [ ] **Conformance test** for any change to the spec **Release Note** <!-- :page_facing_up: If this change has user-visible impact, write a release note in the block below. Include the string "action required" if additional action is required of users switching to the new release, for example in case of a breaking change. Write as if you are speaking to users, not other Knative contributors. If this change has no user-visible impact, no release note is needed. --> ```release-note SecurityContext settings for ApiServerSource's Receive Adapter's container/deployment ``` **Docs** <!-- :book: If this change has user-visible impact, link to an issue or PR in https://github.com/knative/docs. --> Signed-off-by: Matthias Wessendorf <mwessend@redhat.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
For RA of
ApiServerSourcewe do completelt lack theSecurityContextof theContainerobj on each of the "k8s source"'s deployment:https://github.com/knative/eventing/blob/main/pkg/reconciler/apiserversource/resources/receive_adapter.go#L87-L107
In #6533 we did address some
PodSecurityPolicyenhancement, but looks like we missed theApiServerSourceThe text was updated successfully, but these errors were encountered: