Enhance PodSecurityPolicy for restricted namespace #6533
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
knative-prow
bot
added
do-not-merge/work-in-progress
Codecov ReportBase: 81.96% // Head: 81.96% // No change to project coverage 👍
Additional details and impacted files@@ Coverage Diff @@
## main #6533 +/- ##
=======================================
Coverage 81.96% 81.96%
=======================================
Files 235 235
Lines 11726 11726
=======================================
Hits 9611 9611
Misses 1644 1644
Partials 471 471 Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
|
/test upgrade-tests |
* replacing all with ALL * adding seccompProfile to avoid warnings when deploying with restricted security policy Signed-off-by: Matthias Wessendorf <mwessend@redhat.com>
matzew
changed the title
knative-prow
bot
removed
the
do-not-merge/work-in-progress
|
/assign @evankanderson Hey, Evan, can you take a look here? /cc @rhuss @lionelvillard |
matzew
changed the title
knative-prow
bot
added
the
do-not-merge/work-in-progress
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: evankanderson, matzew The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
matzew
changed the title
knative-prow
bot
removed
the
do-not-merge/work-in-progress
matzew
added a commit
to matzew/eventing-kafka-broker
that referenced
this pull request
Sep 27, 2022
* adding/updating securityContext, as needed, to allow running as 'restricted' standard. * adding seccompProfile PR references from knative/eventing repo: * knative/eventing#5863 * knative/eventing#6533 Signed-off-by: Matthias Wessendorf <mwessend@redhat.com>
matzew
added a commit
to matzew/eventing-kafka-broker
that referenced
this pull request
Sep 27, 2022
* adding/updating securityContext, as needed, to allow running as 'restricted' standard. * adding seccompProfile PR references from knative/eventing repo: * knative/eventing#5863 * knative/eventing#6533 Signed-off-by: Matthias Wessendorf <mwessend@redhat.com>
matzew
added a commit
to matzew/eventing-kafka-broker
that referenced
this pull request
Oct 21, 2022
* adding/updating securityContext, as needed, to allow running as 'restricted' standard. * adding seccompProfile PR references from knative/eventing repo: * knative/eventing#5863 * knative/eventing#6533 Signed-off-by: Matthias Wessendorf <mwessend@redhat.com>
matzew
added a commit
to matzew/eventing-kafka-broker
that referenced
this pull request
Oct 21, 2022
* adding/updating securityContext, as needed, to allow running as 'restricted' standard. * adding seccompProfile PR references from knative/eventing repo: * knative/eventing#5863 * knative/eventing#6533 Signed-off-by: Matthias Wessendorf <mwessend@redhat.com>
knative-prow bot
pushed a commit
to knative-extensions/eventing-kafka-broker
that referenced
this pull request
Oct 21, 2022
* 🛂 Addressing PodSecurity violation warnings: * adding/updating securityContext, as needed, to allow running as 'restricted' standard. * adding seccompProfile PR references from knative/eventing repo: * knative/eventing#5863 * knative/eventing#6533 Signed-off-by: Matthias Wessendorf <mwessend@redhat.com> * revert zipkin changes Signed-off-by: Matthias Wessendorf <mwessend@redhat.com> * Update control-plane/config/post-install/500-storage-version-migrator.yaml Co-authored-by: Pierangelo Di Pilato <pierangelodipilato@gmail.com> Signed-off-by: Matthias Wessendorf <mwessend@redhat.com> Co-authored-by: Pierangelo Di Pilato <pierangelodipilato@gmail.com>
knative-prow-robot
pushed a commit
to knative-prow-robot/eventing-kafka-broker
that referenced
this pull request
Oct 24, 2022
* adding/updating securityContext, as needed, to allow running as 'restricted' standard. * adding seccompProfile PR references from knative/eventing repo: * knative/eventing#5863 * knative/eventing#6533 Signed-off-by: Matthias Wessendorf <mwessend@redhat.com>
knative-prow bot
pushed a commit
to knative-extensions/eventing-kafka-broker
that referenced
this pull request
Oct 24, 2022
* passport_control: Addressing PodSecurity violation warnings: * adding/updating securityContext, as needed, to allow running as 'restricted' standard. * adding seccompProfile PR references from knative/eventing repo: * knative/eventing#5863 * knative/eventing#6533 Signed-off-by: Matthias Wessendorf <mwessend@redhat.com> * revert zipkin changes Signed-off-by: Matthias Wessendorf <mwessend@redhat.com> * Update control-plane/config/post-install/500-storage-version-migrator.yaml Co-authored-by: Pierangelo Di Pilato <pierangelodipilato@gmail.com> Signed-off-by: Matthias Wessendorf <mwessend@redhat.com> Co-authored-by: Matthias Wessendorf <mwessend@redhat.com> Co-authored-by: Pierangelo Di Pilato <pierangelodipilato@gmail.com>
This was referenced Feb 28, 2023
knative-prow bot
pushed a commit
that referenced
this pull request
Mar 3, 2023
…ent (#6788) Fixes #6787 <!-- Please include the 'why' behind your changes if no issue exists --> ## Proposed Changes <!-- Please categorize your changes: - 🎁 Add new feature - 🐛 Fix bug - 🧹 Update or clean up current behavior - 🗑️ Remove feature or internal logic --> - similar to our static manifests we set the required SC bits (see: #6533), except SeccompProfile ### Pre-review Checklist <!-- If these boxes are not checked, you will be asked to complete these requirements or explain why they do not apply to your PR. --> - [ ] **At least 80% unit test coverage** - [ ] **E2E tests** for any new behavior - [ ] **Docs PR** for any user-facing impact - [ ] **Spec PR** for any new API feature - [ ] **Conformance test** for any change to the spec **Release Note** <!-- :page_facing_up: If this change has user-visible impact, write a release note in the block below. Include the string "action required" if additional action is required of users switching to the new release, for example in case of a breaking change. Write as if you are speaking to users, not other Knative contributors. If this change has no user-visible impact, no release note is needed. --> ```release-note SecurityContext settings for ApiServerSource's Receive Adapter's container/deployment ``` **Docs** <!-- :book: If this change has user-visible impact, link to an issue or PR in https://github.com/knative/docs. --> Signed-off-by: Matthias Wessendorf <mwessend@redhat.com>
vishal-chdhry
pushed a commit
to vishal-chdhry/eventing
that referenced
this pull request
Mar 14, 2023
…ent (knative#6788) Fixes knative#6787 <!-- Please include the 'why' behind your changes if no issue exists --> ## Proposed Changes <!-- Please categorize your changes: - 🎁 Add new feature - 🐛 Fix bug - 🧹 Update or clean up current behavior - 🗑️ Remove feature or internal logic --> - similar to our static manifests we set the required SC bits (see: knative#6533), except SeccompProfile ### Pre-review Checklist <!-- If these boxes are not checked, you will be asked to complete these requirements or explain why they do not apply to your PR. --> - [ ] **At least 80% unit test coverage** - [ ] **E2E tests** for any new behavior - [ ] **Docs PR** for any user-facing impact - [ ] **Spec PR** for any new API feature - [ ] **Conformance test** for any change to the spec **Release Note** <!-- :page_facing_up: If this change has user-visible impact, write a release note in the block below. Include the string "action required" if additional action is required of users switching to the new release, for example in case of a breaking change. Write as if you are speaking to users, not other Knative contributors. If this change has no user-visible impact, no release note is needed. --> ```release-note SecurityContext settings for ApiServerSource's Receive Adapter's container/deployment ``` **Docs** <!-- :book: If this change has user-visible impact, link to an issue or PR in https://github.com/knative/docs. --> Signed-off-by: Matthias Wessendorf <mwessend@redhat.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Signed-off-by: Matthias Wessendorf mwessend@redhat.com
Fixes #6532
Proposed Changes
allwithALL, since this is the only acceptable string check here and here.must set securityContext.seccompProfile.type to "RuntimeDefault"warningsPre-review Checklist
Release Note
Docs