Skip to content

Allow setting seccompProfile to enable using restricted security profile #13401

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
knative-prow merged 1 commit into from
Oct 18, 2022
Merged

Allow setting seccompProfile to enable using restricted security profile #13401

knative-prow merged 1 commit into from
Oct 18, 2022

Conversation

@evankanderson
Copy link
Member

@evankanderson evankanderson commented Oct 16, 2022

Fixes #13398

seccompProfile.type should only be set to RuntimeDefault or Localhost in the restricted Pod Security Standard.
Allow users to set the seccompProfile so that they can run Knative user-containers in restricted mode.

Relates to #13376

Proposed Changes

  • Allow users to set seccompProfile in PodSecurityContext and SecurityContext

Release Note

Services may now set `seccompProfile` in SecurityContext to allow users to comply with the `restricted` Pod Security Standards best-practice

@knative-prow
Copy link

knative-prow bot commented Oct 16, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: evankanderson

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@knative-prow knative-prow bot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. area/API API objects and controllers labels Oct 16, 2022
@evankanderson evankanderson mentioned this pull request Oct 16, 2022
Merged
@codecov
Copy link

codecov bot commented Oct 16, 2022
edited
Loading

Codecov Report

Base: 86.52% // Head: 86.45% // Decreases project coverage by -0.06% ⚠️

Coverage data is based on head (630c08d) compared to base (a18077c).
Patch coverage: 100.00% of modified lines in pull request are covered.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #13401      +/-   ##
==========================================
- Coverage   86.52%   86.45%   -0.07%     
==========================================
  Files         196      196              
  Lines       14551    14556       +5     
==========================================
- Hits        12590    12585       -5     
- Misses       1662     1671       +9     
- Partials      299      300       +1
Impacted Files Coverage Δ
pkg/apis/serving/fieldmask.go 95.61% <100.00%> (+0.04%) ⬆️
pkg/http/handler/timeout.go 84.76% <0.00%> (-6.63%) ⬇️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

@evankanderson
Copy link
Member Author

evankanderson commented Oct 16, 2022

/assign @psschwei @skonto

@evankanderson evankanderson mentioned this pull request Oct 16, 2022
Merged
psschwei
psschwei reviewed Oct 18, 2022
View reviewed changes
Copy link
Member

@psschwei psschwei left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One minor nit: we should also edit the features configmap to include this as one of the fields that can be set when the gate is on. Otherwise, looks good to me

psschwei
psschwei reviewed Oct 18, 2022
View reviewed changes
Copy link
Member

@psschwei psschwei left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@knative-prow knative-prow bot added the lgtm Indicates that a PR is ready to be merged. label Oct 18, 2022
@psschwei psschwei mentioned this pull request Oct 18, 2022
Merged
@knative-prow knative-prow bot merged commit d108ba9 into knative:main Oct 18, 2022
skonto pushed a commit to skonto/serving that referenced this pull request Oct 19, 2022
@evankanderson
Allow setting seccompProfile to enable using restricted security prof…
775acb8 
…ile (knative#13401)
openshift-merge-robot pushed a commit to openshift/knative-serving that referenced this pull request Oct 24, 2022
@evankanderson
[RELEASE-1.5][BACKPORT] Allow setting seccompProfile to enable using …
772dc55 
…restricted security profile (#1284)

* Allow setting seccompProfile to enable using restricted security profile (knative#13401)

* fix features cm

Co-authored-by: Evan Anderson <evan.k.anderson@gmail.com>
skonto pushed a commit to skonto/serving that referenced this pull request Nov 15, 2022
@evankanderson @skonto
[RELEASE-1.5][BACKPORT] Allow setting seccompProfile to enable using …
23703c0 
…restricted security profile (knative#1284)

* Allow setting seccompProfile to enable using restricted security profile (knative#13401)

* fix features cm

Co-authored-by: Evan Anderson <evan.k.anderson@gmail.com>
openshift-merge-robot pushed a commit to openshift-knative/serving that referenced this pull request Nov 15, 2022
@skonto @evankanderson
[RELEASE-1.5][BACKPORT] Allow setting seccompProfile to enable using …
384b91e 
…restricted security profile (#1284) (#9)

* Allow setting seccompProfile to enable using restricted security profile (knative#13401)

* fix features cm

Co-authored-by: Evan Anderson <evan.k.anderson@gmail.com>

Co-authored-by: Evan Anderson <evan.k.anderson@gmail.com>
@dprotaso dprotaso added this to the v1.8.0 milestone Nov 24, 2022
openshift-merge-robot pushed a commit to openshift-knative/serving that referenced this pull request Dec 22, 2022
@ReToCode @skonto @evankanderson
[RELEASE-1.7][BACKPORT] Allow setting seccompProfile to enable using … (
28d0934 
#91)

* [RELEASE-1.5][BACKPORT] Allow setting seccompProfile to enable using restricted security profile  (#1284) (#9)

* Allow setting seccompProfile to enable using restricted security profile (knative#13401)

* fix features cm

Co-authored-by: Evan Anderson <evan.k.anderson@gmail.com>

Co-authored-by: Evan Anderson <evan.k.anderson@gmail.com>

* Update checksum

Co-authored-by: Stavros Kontopoulos <st.kontopoulos@gmail.com>
Co-authored-by: Evan Anderson <evan.k.anderson@gmail.com>
wmfgerrit pushed a commit to wikimedia/operations-docker-images-production-images that referenced this pull request Feb 3, 2025
@elukey
knative: backport patches from 1.8.x release
d8ddf8e 
The commit knative/serving#13401 allows
pods scheduled/created via knative-serving to be set with a
seccomp profile, required by the PSS migration to allow running
pods in the "restricted" security realm.

The commit knative/serving#13398 adds
a config-map flag to inject secure defaults for pods not running
with specific settings, to allow the PSS restricted profile.

Bug: T369493
Change-Id: Ib2ec22d4ccdeebda3ba775bdcd3d4e1be520f7ed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@psschwei psschwei psschwei left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@skonto skonto

@psschwei psschwei

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. area/API API objects and controllers lgtm Indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

v1.8.0

Development

Successfully merging this pull request may close these issues.

4 participants

@evankanderson @psschwei @dprotaso @skonto