(bugfix): OCPBUGS-3072 - fix operator-sdk run bundle(-upgrade) PSA related issues#6210
Conversation
| @@ -139,7 +139,7 @@ func (c *IndexImageCatalogCreator) BindFlags(fs *pflag.FlagSet) { | |||
| "while pulling bundles") | |||
|
|
|||
| // default to Restricted | |||
There was a problem hiding this comment.
| // default to Restricted | |
| // default to Legacy |
| func withGrpcPodConfig(securityContextConfig string) func(*v1alpha1.CatalogSource) { | ||
| return func(cs *v1alpha1.CatalogSource) { | ||
| cs.Spec.GrpcPodConfig = &v1alpha1.GrpcPodConfig{ | ||
| SecurityContextConfig: v1alpha1.SecurityConfig(securityContextConfig), | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
Function name should align with what we're passing into the function. Either pass in the full grpcPodConfig or rename (and refactor) to just handle the securityContextConfig.
Suggestion showing the latter option:
| func withGrpcPodConfig(securityContextConfig string) func(*v1alpha1.CatalogSource) { | |
| return func(cs *v1alpha1.CatalogSource) { | |
| cs.Spec.GrpcPodConfig = &v1alpha1.GrpcPodConfig{ | |
| SecurityContextConfig: v1alpha1.SecurityConfig(securityContextConfig), | |
| } | |
| } | |
| } | |
| func withGrpcPodSecurityContextConfig(securityContextConfig string) func(*v1alpha1.CatalogSource) { | |
| return func(cs *v1alpha1.CatalogSource) { | |
| if cs.Spec.GrpcPodConfig == nil { | |
| cs.Spec.GrpcPodConfig = &v1alpha1.GrpcPodConfig{} | |
| } | |
| cs.Spec.GrpcPodConfig.SecurityContextConfig = v1alpha1.SecurityConfig(securityContextConfig) | |
| } | |
| } | |
| } |
@everettraven The SecurityContext was always there even before PSA. So are we saying that if the context is legacy mode that ALL of the security contexts are removed? It might be correct, but I'd make sure to ask that we're not undoing something that was needed before. |
@jmrodri I don't think we ran into this issue previously because we were by default using a container in the pod that wasn't running as root. The problem is that when you specify a specific index image that may be attempting to run as root and set I haven't taken a look at this for a couple weeks since I was on vacation, so I don't recall if I have tested all possible scenarios. Since I have to fix the failing unit tests I will run through a manual suite of tests again to ensure this is functioning as expected. |
Signed-off-by: Bryce Palmer <bpalmer@redhat.com>
| - click `Edit` on the `v.*` branch rule. | ||
| - In section `Protect matching branches` of the `Rule settings` box, set "Required approving reviewers" to `6`. | ||
| 1. Lock down the `v1.3.x` branch to prevent further commits before the release completes: | ||
| 1. Go to `Settings -> Branches` in the SDK repo. |
There was a problem hiding this comment.
Nit: I think the formatting here didn't quite do what you intended with the indents
There was a problem hiding this comment.
Yeah, running the docs site locally it doesn't look like it formatted correctly. That being said, I pretty much snatched this straight from an existing section for locking down the branch and just changed some values. The section I snatched from:
|
/lgtm |
|
/cherry-pick v1.26.x |
|
@everettraven: new pull request created: #6226 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/cherry-pick v1.25.x |
|
@rashmigottipati: #6210 failed to apply on top of branch "v1.25.x": DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
…related issues (operator-framework#6210) Signed-off-by: rashmigottipati <chowdary.grashmi@gmail.com>
…related issues (operator-framework#6210) Signed-off-by: rashmigottipati <chowdary.grashmi@gmail.com>
…related issues (operator-framework#6210) Signed-off-by: rashmigottipati <chowdary.grashmi@gmail.com>
operator-sdk run bundle(-upgrade) is running by default in legacy mode (see: operator-framework/operator-sdk#6210 ) which is not going to work out of the box on OCP/OKD 4.14 where PSA is enforced to restricted by default. Set --security-context-config=restricted to be able to execute on CI also on OCP/OKD 4.14. Signed-off-by: stirabos <stirabos@redhat.com>
operator-sdk run bundle(-upgrade) is running by default in legacy mode (see: operator-framework/operator-sdk#6210 ) which is not going to work out of the box on OCP/OKD 4.14 where PSA is enforced to restricted by default. Set --security-context-config=restricted to be able to execute on CI also on OCP/OKD 4.14. Signed-off-by: stirabos <stirabos@redhat.com>
Description of the change:
SecurityContextfrom the registry pod containers created byoperator-sdk run bundle(-upgrade)to only be added to the containers when--security-context-config=restricted--security-context-configflag to belegacyin anticipation of some OpenShift PSA changes.CatalogSource.grpcPodConfig.securityContextConfigto the same value of the--security-context-configflag.Motivation for the change:
operator-sdk-run-bundle.--security-context-config=legacy, the registry pod created still set theSecurityContexton the container as if it was in a restricted environment.Checklist
If the pull request includes user-facing changes, extra documentation is required:
changelog/fragments(seechangelog/fragments/00-template.yaml)website/content/en/docs