api icon indicating copy to clipboard operation
api copied to clipboard

Published 20 hours ago verified publisher icon openshift

OCPNODE-2387: SCC: add AllowHostUsers field

Open haircommander opened this issue 1 year ago • 6 comments

to allow an SCC to toggle whether a pod is forced to be confined by a user namespace

haircommander avatar Jun 28 '24 17:06 haircommander

Skipping CI for Draft Pull Request. If you want CI signal for your change, please convert it to an actual PR. You can still manually trigger a test run with /test all

openshift-ci[bot] avatar Jun 28 '24 17:06 openshift-ci[bot]

Hello @haircommander! Some important instructions when contributing to openshift/api: API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

openshift-ci[bot] avatar Jun 28 '24 17:06 openshift-ci[bot]

@haircommander: This pull request references OCPNODE-2387 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.17.0" version, but no target version was set.

In response to this:

to allow an SCC to toggle whether a pod is forced to be confined by a user namespace

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot avatar Jun 28 '24 20:06 openshift-ci-robot

@ibihim @wallylewis are you both ok with this addition to SCC, I believe auth team would own this right?

JoelSpeed avatar Jul 10 '24 16:07 JoelSpeed

/retest

haircommander avatar Aug 06 '24 20:08 haircommander

/test minor-e2e-upgrade-minor

haircommander avatar Aug 20 '24 00:08 haircommander

/test minor-e2e-upgrade-minor

Odd that the CLI image is missing suddenly, I don't think that's a configuration problem

JoelSpeed avatar Aug 20 '24 08:08 JoelSpeed

/test /test minor-e2e-upgrade-minor

has magic fixed it :thinking:

haircommander avatar Aug 20 '24 13:08 haircommander

updated, thanks @JoelSpeed ! Any reviews I can gather work for me, @deads2k do you have any additional notes?

haircommander avatar Aug 20 '24 15:08 haircommander

Adding a new default breaks the integration tests, you'll have to add the new default field to the expected

JoelSpeed avatar Aug 20 '24 15:08 JoelSpeed

updated! thanks @JoelSpeed

haircommander avatar Aug 20 '24 16:08 haircommander

/test e2e-upgrade /test e2e-aws-ovn-hypershift

haircommander avatar Aug 20 '24 20:08 haircommander

We are asking folks to fix SSA tags as and when they come up, could you please look into fixing, for most this is just a case of adding +listType=atomic unless there is an obvious need for a map type

error in security/v1/zz_generated.crd-manifests/0000_03_config-operator_01_securitycontextconstraints-CustomNoUpgrade.crd.yaml: ListsMustHaveSSATags: crd/securitycontextconstraints.security.openshift.io version/v1 field/^.requiredDropCapabilities must set x-kubernetes-list-type
		error in security/v1/zz_generated.crd-manifests/0000_03_config-operator_01_securitycontextconstraints-CustomNoUpgrade.crd.yaml: ListsMustHaveSSATags: crd/securitycontextconstraints.security.openshift.io version/v1 field/^.allowedCapabilities must set x-kubernetes-list-type
		error in security/v1/zz_generated.crd-manifests/0000_03_config-operator_01_securitycontextconstraints-CustomNoUpgrade.crd.yaml: ListsMustHaveSSATags: crd/securitycontextconstraints.security.openshift.io version/v1 field/^.seccompProfiles must set x-kubernetes-list-type
		error in security/v1/zz_generated.crd-manifests/0000_03_config-operator_01_securitycontextconstraints-CustomNoUpgrade.crd.yaml: ListsMustHaveSSATags: crd/securitycontextconstraints.security.openshift.io version/v1 field/^.fsGroup.ranges must set x-kubernetes-list-type
		error in security/v1/zz_generated.crd-manifests/0000_03_config-operator_01_securitycontextconstraints-CustomNoUpgrade.crd.yaml: ListsMustHaveSSATags: crd/securitycontextconstraints.security.openshift.io version/v1 field/^.groups must set x-kubernetes-list-type
		error in security/v1/zz_generated.crd-manifests/0000_03_config-operator_01_securitycontextconstraints-CustomNoUpgrade.crd.yaml: ListsMustHaveSSATags: crd/securitycontextconstraints.security.openshift.io version/v1 field/^.supplementalGroups.ranges must set x-kubernetes-list-type
		error in security/v1/zz_generated.crd-manifests/0000_03_config-operator_01_securitycontextconstraints-CustomNoUpgrade.crd.yaml: ListsMustHaveSSATags: crd/securitycontextconstraints.security.openshift.io version/v1 field/^.defaultAddCapabilities must set x-kubernetes-list-type
		error in security/v1/zz_generated.crd-manifests/0000_03_config-operator_01_securitycontextconstraints-CustomNoUpgrade.crd.yaml: ListsMustHaveSSATags: crd/securitycontextconstraints.security.openshift.io version/v1 field/^.volumes must set x-kubernetes-list-type
		error in security/v1/zz_generated.crd-manifests/0000_03_config-operator_01_securitycontextconstraints-CustomNoUpgrade.crd.yaml: ListsMustHaveSSATags: crd/securitycontextconstraints.security.openshift.io version/v1 field/^.allowedFlexVolumes must set x-kubernetes-list-type
		error in security/v1/zz_generated.crd-manifests/0000_03_config-operator_01_securitycontextconstraints-CustomNoUpgrade.crd.yaml: ListsMustHaveSSATags: crd/securitycontextconstraints.security.openshift.io version/v1 field/^.allowedUnsafeSysctls must set x-kubernetes-list-type
		error in security/v1/zz_generated.crd-manifests/0000_03_config-operator_01_securitycontextconstraints-CustomNoUpgrade.crd.yaml: ListsMustHaveSSATags: crd/securitycontextconstraints.security.openshift.io version/v1 field/^.forbiddenSysctls must set x-kubernetes-list-type
		error in security/v1/zz_generated.crd-manifests/0000_03_config-operator_01_securitycontextconstraints-CustomNoUpgrade.crd.yaml: ListsMustHaveSSATags: crd/securitycontextconstraints.security.openshift.io version/v1 field/^.users must set x-kubernetes-list-type

JoelSpeed avatar Aug 21 '24 11:08 JoelSpeed

updated @JoelSpeed !

haircommander avatar Aug 21 '24 14:08 haircommander

/override ci/prow/verify-crd-schema

We can't fix the existing NoBool issues

JoelSpeed avatar Aug 21 '24 15:08 JoelSpeed

@JoelSpeed: Overrode contexts on behalf of JoelSpeed: ci/prow/verify-crd-schema

In response to this:

/override ci/prow/verify-crd-schema

We can't fix the existing NoBool issues

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

openshift-ci[bot] avatar Aug 21 '24 15:08 openshift-ci[bot]

/retest

haircommander avatar Aug 21 '24 16:08 haircommander

/retest

haircommander avatar Aug 21 '24 19:08 haircommander

/retest

haircommander avatar Aug 22 '24 01:08 haircommander

/retest

haircommander avatar Aug 22 '24 03:08 haircommander

LGTM once the auth team ack /override ci/prow/verify-crd-schema

JoelSpeed avatar Aug 22 '24 07:08 JoelSpeed

@JoelSpeed: Overrode contexts on behalf of JoelSpeed: ci/prow/verify-crd-schema

In response to this:

LGTM once the auth team ack /override ci/prow/verify-crd-schema

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

openshift-ci[bot] avatar Aug 22 '24 07:08 openshift-ci[bot]

/lgtm

liouk avatar Aug 22 '24 14:08 liouk

/lgtm

JoelSpeed avatar Aug 22 '24 15:08 JoelSpeed

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: haircommander, JoelSpeed, liouk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci[bot] avatar Aug 22 '24 15:08 openshift-ci[bot]

/retest-required

Remaining retests: 0 against base HEAD 717c5f8afa740e80c886e8708245e228fd95a1d4 and 2 for PR HEAD 8a4c0e172baf8e2241834f5b68fd44d35dcfc5c0 in total

openshift-ci-robot avatar Aug 22 '24 16:08 openshift-ci-robot

/override ci/prow/verify-crd-schema

mrunalp avatar Aug 22 '24 16:08 mrunalp

@mrunalp: Overrode contexts on behalf of mrunalp: ci/prow/verify-crd-schema

In response to this:

/override ci/prow/verify-crd-schema

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

openshift-ci[bot] avatar Aug 22 '24 16:08 openshift-ci[bot]

/override ci/prow/verify-crd-schema

mrunalp avatar Aug 22 '24 17:08 mrunalp

@mrunalp: Overrode contexts on behalf of mrunalp: ci/prow/verify-crd-schema

In response to this:

/override ci/prow/verify-crd-schema

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

openshift-ci[bot] avatar Aug 22 '24 17:08 openshift-ci[bot]