Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[podSecurityConfiguration]: fix apiVersion and change default policy … #10210

Merged
merged 1 commit into from
Jun 13, 2023
Merged

[podSecurityConfiguration]: fix apiVersion and change default policy … #10210

merged 1 commit into from
Jun 13, 2023

Conversation

ugur99
Copy link
Contributor

@ugur99 ugur99 commented Jun 10, 2023

Signed-off-by: Ugur Can Ozturk ugurozturk918@gmail.com

What type of PR is this?
/kind api-change

What this PR does / why we need it:
According to the documentation, the api version of pod-security.admission.config.k8s.io was upgraded to v1 with version v1.25. Even though v1beta1 and v1alpha1 are not deprecated yet, I think we should use v1 one.

And using the latest security standards can be confusing for people following the special version of Kubernetes documentation. It would be good if we change the security standard versions not to latest but same as major Kubernetes version to prevent this confusion. Even if it will be set as latest, it will be more appropriate for the user to do this consciously.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:
For testing purposes, a new cluster was set up and tested.

Does this PR introduce a user-facing change?:

Unless the pod security standard versions are changed on intentionally, as default it will be the same major version with Kubernetes version.

@ugur99
[podSecurityConfiguration]: fix apiVersion and change default policy …
53e5475 
…versions

Signed-off-by: Ugur <ugurozturk918@gmail.com>
@k8s-ci-robot k8s-ci-robot added kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jun 10, 2023
@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jun 10, 2023
@k8s-ci-robot
Copy link
Contributor

Hi @ugur99. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Jun 10, 2023
@yankay
Copy link
Member

yankay commented Jun 12, 2023

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jun 12, 2023
MrFreezeex
MrFreezeex approved these changes Jun 12, 2023
View reviewed changes
Copy link
Member

@MrFreezeex MrFreezeex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank for your contribution, looks good :).
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 12, 2023
oomichi
oomichi reviewed Jun 13, 2023
View reviewed changes
Copy link
Contributor

@oomichi oomichi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

roles/kubernetes/control-plane/templates/podsecurity.yaml.j2
@@ -1,5 +1,5 @@
{% if kube_pod_security_use_default %}
apiVersion: pod-security.admission.config.k8s.io/v1beta1
apiVersion: pod-security.admission.config.k8s.io/v1
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

according to https://github.com/kubernetes/website/blob/9a0d240bb54395ed83cfa4cf434f3912a03a424e/content/en/docs/tutorials/security/cluster-level-pss.md?plain=1#L214

``pod-security.admission.config.k8s.io/v1 configuration requires v1.25+. and the minimum version Kubespray supports is v1.25.0.
So it is fine to change here as this.

@oomichi
Copy link
Contributor

oomichi commented Jun 13, 2023

I did put a wrong label 😅

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: MrFreezeex, oomichi, ugur99

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 13, 2023
@k8s-ci-robot k8s-ci-robot merged commit a962fa2 into kubernetes-sigs:master Jun 13, 2023
maciej-markowski pushed a commit to maciej-markowski/kubespray that referenced this pull request Jun 23, 2023
@ugur99 @maciej-markowski
[podSecurityConfiguration]: fix apiVersion and change default policy …
686f2a0 
…versions (kubernetes-sigs#10210)

Signed-off-by: Ugur <ugurozturk918@gmail.com>
@yankay yankay mentioned this pull request Aug 24, 2023
Closed
pedro-peter pushed a commit to pedro-peter/kubespray that referenced this pull request May 8, 2024
@ugur99 @pedromcpedro
[podSecurityConfiguration]: fix apiVersion and change default policy …
8382598 
…versions (kubernetes-sigs#10210)

Signed-off-by: Ugur <ugurozturk918@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oomichi oomichi oomichi left review comments

@MrFreezeex MrFreezeex MrFreezeex approved these changes

@cristicalin cristicalin Awaiting requested review from cristicalin

@jayonlau jayonlau Awaiting requested review from jayonlau

Assignees

@oomichi oomichi

@MrFreezeex MrFreezeex

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@ugur99 @k8s-ci-robot @yankay @oomichi @MrFreezeex