Update unpack job pod security #2793
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
openshift-ci
bot
added
the
approved
perdasilva
force-pushed
the
unpack_job_security
branch
3 times, most recently
from
353bcdb to
aa2706c
Compare
perdasilva
changed the title
perdasilva
force-pushed
the
unpack_job_security
branch
from
aa2706c to
a51282a
Compare
|
/hold waiting for #2782 to merge before I can rebase this branch and get it merged. |
openshift-ci
bot
added
the
do-not-merge/hold
perdasilva
changed the title
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
perdasilva
force-pushed
the
unpack_job_security
branch
3 times, most recently
from
048cb72 to
5987159
Compare
Signed-off-by: perdasilva <[email protected]>
perdasilva
force-pushed
the
unpack_job_security
branch
from
5987159 to
9b82800
Compare
|
/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
| @@ -7,6 +7,7 @@ import ( | |||
| "strings" | |||
| "time" | |||
|
|
|||
| "github.com/operator-framework/operator-lifecycle-manager/pkg/controller/security" | |||
There was a problem hiding this comment.
nit: move this to the other OLM package imports that are grouped together.
There was a problem hiding this comment.
are there some gofmt settings I can use to to automagically sort them in the required way?
There was a problem hiding this comment.
I think goimportas actually handles this, which is why I opened #2798 when I was initially reviewing this PR. That linter configuration is already present in rukpak/deppy, and has helped cut down on the back-and-forth's for style-related PR review comments.
pkg/controller/security/security.go
Outdated
| // See: https://github.com/operator-framework/operator-registry/blob/master/Dockerfile#L27 | ||
| var runAsUser int64 = 1001 | ||
|
|
||
| var containerSecurityContext = &corev1.SecurityContext{ |
There was a problem hiding this comment.
Do we need to specify the "privileged" field here too, or is that the default value and we don't need to be explicit here?
There was a problem hiding this comment.
Also: it looks like the container also has a SeccompProfile field. Do we need to propagate that to the container security context as well, or do we inherit that from the top-level podspec security context?
There was a problem hiding this comment.
privileged does indeed default to false. But I have made it explicit, just in case. If I'm reading the docs correctly, the container should inherit the seccomp profile from the pod security context. So, I think we should be good. All good call outs!
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: perdasilva, timflannagan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
perdasilva
force-pushed
the
unpack_job_security
branch
from
9b82800 to
5d27231
Compare
Signed-off-by: perdasilva <[email protected]>
perdasilva
force-pushed
the
unpack_job_security
branch
from
5d27231 to
1fc56db
Compare
|
Holding in case we need more reviewers to take a look at these changes. /lgtm |
openshift-ci
bot
added
the
do-not-merge/hold
|
/hold cancel - let's put it though. Need to downstream asap ahead of CF. |
|
/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
* Update unpack job security Signed-off-by: perdasilva <[email protected]> * Refactor catsrc pod creation to use security package Signed-off-by: perdasilva <[email protected]>
* Update unpack job security Signed-off-by: perdasilva <[email protected]> * Refactor catsrc pod creation to use security package Signed-off-by: perdasilva <[email protected]>
* Update unpack job pod security (#2793) * Update unpack job security Signed-off-by: perdasilva <[email protected]> * Refactor catsrc pod creation to use security package Signed-off-by: perdasilva <[email protected]> * Refactor MagicCatalog removing superfluous interface and add factory method to create from file Signed-off-by: perdasilva <[email protected]> * Switch TestContext client to be the e2e client and add crd garbage collection Signed-off-by: perdasilva <[email protected]> * Add determined e2e client that retries on failure Signed-off-by: perdasilva <[email protected]> * Small fixes Signed-off-by: perdasilva <[email protected]> * Add olm gomega assertions and matchers Signed-off-by: perdasilva <[email protected]>
This reverts commit eedad28.
This reverts commit eedad28. Signed-off-by: perdasilva <[email protected]>
* Revert "Unpack job security updates (#2805)" This reverts commit e568cde. Signed-off-by: perdasilva <[email protected]> * Revert "Update unpack job pod security (#2793)" This reverts commit eedad28. Signed-off-by: perdasilva <[email protected]> * Revert "Update CatalogSource Pod security context (#2782)" This reverts commit 99b51e7. Signed-off-by: perdasilva <[email protected]>
* Update unpack job security Signed-off-by: perdasilva <[email protected]> * Refactor catsrc pod creation to use security package Signed-off-by: perdasilva <[email protected]>
Description of the change:
Updates the security context stanzas for the bundle unpacking job's pod and containers to be more explicit and limited
Motivation for the change:
https://bugzilla.redhat.com/show_bug.cgi?id=2088541
Architectural changes:
I've added a
securitypackage with a function to update a pod spec with thestandardsecurity settings and refactored the CatalogSource pod creation function to use it as wellTesting remarks:
I've updated the unit tests for the bundle unpacking job creation to pass. This also ensures that the correct security settings are in the job pod spec. I've also run the e2e tests and they passed.
NOTE: This PR is ready for review, though it will stay blocked until #2782 is merged - as this is a continuation of that PR
Reviewer Checklist
/doc[FLAKE]are truly flaky and have an issue