origin icon indicating copy to clipboard operation
origin copied to clipboard

Published 20 hours ago verified publisher icon openshift

OCPBUGS-42044: Minimize `git-clone` Privileges

Open adambkaplan opened this issue 1 year ago • 12 comments

As part of the mitigation for CVE-2024-45496, the git-clone container for builds was updated to run unprivileged and a minimal set of Linux capabilities enabled. This update ensures that we do not regress and elevate the permissions granted to the git-clone container in builds.

adambkaplan avatar Sep 16 '24 21:09 adambkaplan

@adambkaplan: This pull request references Jira Issue OCPBUGS-42044, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.18.0) matches configured target version for branch (4.18.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact: /cc @jitendar-singh

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

As part of the mitigation for CVE-2024-45496, the git-clone container for builds was updated to run unprivileged and a minimal set of Linux capabilities enabled. This update ensures that we do not regress and elevate the permissions granted to the git-clone container in builds.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot avatar Sep 16 '24 21:09 openshift-ci-robot

/approve

deads2k avatar Sep 16 '24 21:09 deads2k

/cherrypick release-4.17,release-4.16,release-4.15,release-4.14,release-4.13,release-4.12

adambkaplan avatar Sep 16 '24 21:09 adambkaplan

@adambkaplan: once the present PR merges, I will cherry-pick it on top of release-4.17,release-4.16,release-4.15,release-4.14,release-4.13,release-4.12 in a new PR and assign it to you.

In response to this:

/cherrypick release-4.17,release-4.16,release-4.15,release-4.14,release-4.13,release-4.12

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

openshift-cherrypick-robot avatar Sep 16 '24 21:09 openshift-cherrypick-robot

/approve

sayan-biswas avatar Sep 17 '24 06:09 sayan-biswas

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: adambkaplan, deads2k, sayan-biswas

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci[bot] avatar Sep 17 '24 06:09 openshift-ci[bot]

/test e2e-gcp-ovn-builds

sayan-biswas avatar Sep 17 '24 06:09 sayan-biswas

Note - this might need another re-test. The commit with the patch was not added to our public repo until this morning (after I pushed the test fix commit).

adambkaplan avatar Sep 17 '24 14:09 adambkaplan

/retest

Test ran before the patches were made public.

adambkaplan avatar Sep 17 '24 18:09 adambkaplan

/retest

adambkaplan avatar Oct 11 '24 21:10 adambkaplan

Job Failure Risk Analysis for sha: 56e238bdbaa4256fa6f3e2c1e23eade8d398cbad

Job Name Failure Risk
pull-ci-openshift-origin-master-e2e-aws-ovn-single-node-upgrade Medium
[bz-kube-apiserver][invariant] alert/KubeAPIErrorBudgetBurn should not be at or above info
This test has passed 89.89% of 178 runs on release 4.18 [Architecture:amd64 FeatureSet:default Installer:ipi Network:ovn NetworkStack:ipv4 Platform:aws SecurityMode:default Topology:single Upgrade:micro] in the last week.

Open Bugs
SNO error rate for alert/KubeAPIErrorBudgetBurn should not be at or above info
alert/KubeAPIErrorBudgetBurn should not be at or above info
alert/KubeAPIErrorBudgetBurn should not be at or above info

openshift-trt-bot avatar Oct 12 '24 01:10 openshift-trt-bot

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

openshift-bot avatar Jan 10 '25 09:01 openshift-bot

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten /remove-lifecycle stale

openshift-bot avatar Feb 10 '25 00:02 openshift-bot

@adambkaplan: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-ovn-single-node-upgrade 56e238bdbaa4256fa6f3e2c1e23eade8d398cbad link false /test e2e-aws-ovn-single-node-upgrade
ci/prow/e2e-gcp-ovn-builds 56e238bdbaa4256fa6f3e2c1e23eade8d398cbad link true /test e2e-gcp-ovn-builds
ci/prow/e2e-aws-ovn-ipsec-serial 56e238bdbaa4256fa6f3e2c1e23eade8d398cbad link false /test e2e-aws-ovn-ipsec-serial
ci/prow/e2e-vsphere-ovn 56e238bdbaa4256fa6f3e2c1e23eade8d398cbad link true /test e2e-vsphere-ovn
ci/prow/e2e-vsphere-ovn-upi 56e238bdbaa4256fa6f3e2c1e23eade8d398cbad link true /test e2e-vsphere-ovn-upi

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-ci[bot] avatar Feb 12 '25 22:02 openshift-ci[bot]

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen. Mark the issue as fresh by commenting /remove-lifecycle rotten. Exclude this issue from closing again by commenting /lifecycle frozen.

/close

openshift-bot avatar Mar 31 '25 00:03 openshift-bot

@openshift-bot: Closed this PR.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen. Mark the issue as fresh by commenting /remove-lifecycle rotten. Exclude this issue from closing again by commenting /lifecycle frozen.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

openshift-ci[bot] avatar Mar 31 '25 00:03 openshift-ci[bot]

@adambkaplan: This pull request references Jira Issue OCPBUGS-42044. The bug has been updated to no longer refer to the pull request using the external bug tracker. All external bug links have been closed. The bug has been moved to the NEW state.

In response to this:

As part of the mitigation for CVE-2024-45496, the git-clone container for builds was updated to run unprivileged and a minimal set of Linux capabilities enabled. This update ensures that we do not regress and elevate the permissions granted to the git-clone container in builds.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot avatar Mar 31 '25 00:03 openshift-ci-robot