Fix: Add the new AllowPrivilegeEscalation field to the *other* fieldmask.
#13402
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…dmask. 🐛 My previous changed missed the new config file that controls how the CRD schema is updated. You can now clearly see the fields being added to the schemas. Apologies for the break, I had no clue this was a thing! /kind bug Related: knative#13395
mattmoor
commented
Oct 16, 2022
| - Requests | ||
| k8s.io/api/core/v1.SecurityContext: | ||
| fieldMask: | ||
| - AllowPrivilegeEscalation |
Member
Author
There was a problem hiding this comment.
@evankanderson I didn't realize y'all had added this, so I totally missed it. FYI in case you are adding seccomp stuff, you may need this too (if you were following my bad example! 😂 )
Member
There was a problem hiding this comment.
@markusthoemmes added this, so that we could produce a structural schema for our crds.
Member
Author
There was a problem hiding this comment.
It was just after my time. TIL!
Codecov ReportBase: 86.52% // Head: 86.47% // Decreases project coverage by
Additional details and impacted files@@ Coverage Diff @@
## main #13402 +/- ##
==========================================
- Coverage 86.52% 86.47% -0.05%
==========================================
Files 196 196
Lines 14551 14551
==========================================
- Hits 12590 12583 -7
- Misses 1662 1669 +7
Partials 299 299
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: evankanderson, mattmoor The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
mattmoor
added a commit
to mattmoor/hakn
that referenced
this pull request
Oct 16, 2022
🐛 I missed a file in my upstream fix, which kept the field from appearing in the CRD schema. This pulls in that change too. /kind bug
mattmoor
added a commit
to mattmoor/hakn
that referenced
this pull request
Oct 16, 2022
🐛 I missed a file in my upstream fix, which kept the field from appearing in the CRD schema. This pulls in that change too. /kind bug
mattmoor
added a commit
to chainguard-dev/hakn
that referenced
this pull request
Oct 17, 2022
🐛 I missed a file in my upstream fix, which kept the field from appearing in the CRD schema. This pulls in that change too. /kind bug
skonto
pushed a commit
to skonto/serving
that referenced
this pull request
Oct 19, 2022
…dmask. (knative#13402) 🐛 My previous changed missed the new config file that controls how the CRD schema is updated. You can now clearly see the fields being added to the schemas. Apologies for the break, I had no clue this was a thing! /kind bug Related: knative#13395
skonto
pushed a commit
to skonto/serving
that referenced
this pull request
Oct 27, 2022
…dmask. (knative#13402) 🐛 My previous changed missed the new config file that controls how the CRD schema is updated. You can now clearly see the fields being added to the schemas. Apologies for the break, I had no clue this was a thing! /kind bug Related: knative#13395
openshift-merge-robot
pushed a commit
to openshift/knative-serving
that referenced
this pull request
Oct 27, 2022
…ion (#1282) * Feature: Let users set `allowPrivilegeEscalation = false` on ksvc. (knative#13395) :gift: This allows used to specify `allowPrivilegeEscalation` (in particular to false) to ensure that processes cannot escalate privileges. Kicking the tires on the new GKE security posture dashboard, I noticed that ~all Knative services get flagged for this despite Knative not allowing me to set it to false! https://cloud.google.com/kubernetes-engine/docs/concepts/about-security-posture-dashboard /kind bug * Fix: Add the new `AllowPrivilegeEscalation` field to the *other* fieldmask. (knative#13402) :bug: My previous changed missed the new config file that controls how the CRD schema is updated. You can now clearly see the fields being added to the schemas. Apologies for the break, I had no clue this was a thing! /kind bug Related: knative#13395 * add allowPrivilegeEscalation to manifests Co-authored-by: Matt Moore <mattmoor@chainguard.dev>
skonto
pushed a commit
to skonto/serving
that referenced
this pull request
Nov 16, 2022
…ion (knative#1282) * Feature: Let users set `allowPrivilegeEscalation = false` on ksvc. (knative#13395) :gift: This allows used to specify `allowPrivilegeEscalation` (in particular to false) to ensure that processes cannot escalate privileges. Kicking the tires on the new GKE security posture dashboard, I noticed that ~all Knative services get flagged for this despite Knative not allowing me to set it to false! https://cloud.google.com/kubernetes-engine/docs/concepts/about-security-posture-dashboard /kind bug * Fix: Add the new `AllowPrivilegeEscalation` field to the *other* fieldmask. (knative#13402) :bug: My previous changed missed the new config file that controls how the CRD schema is updated. You can now clearly see the fields being added to the schemas. Apologies for the break, I had no clue this was a thing! /kind bug Related: knative#13395 * add allowPrivilegeEscalation to manifests Co-authored-by: Matt Moore <mattmoor@chainguard.dev>
openshift-merge-robot
pushed a commit
to openshift-knative/serving
that referenced
this pull request
Nov 16, 2022
…e` on ksvc. (#18) * [RELEASE-1.5] [BACKPORT] Feature: Let users set allowPrivilegeEscalation (#1282) * Feature: Let users set `allowPrivilegeEscalation = false` on ksvc. (knative#13395) :gift: This allows used to specify `allowPrivilegeEscalation` (in particular to false) to ensure that processes cannot escalate privileges. Kicking the tires on the new GKE security posture dashboard, I noticed that ~all Knative services get flagged for this despite Knative not allowing me to set it to false! https://cloud.google.com/kubernetes-engine/docs/concepts/about-security-posture-dashboard /kind bug * Fix: Add the new `AllowPrivilegeEscalation` field to the *other* fieldmask. (knative#13402) :bug: My previous changed missed the new config file that controls how the CRD schema is updated. You can now clearly see the fields being added to the schemas. Apologies for the break, I had no clue this was a thing! /kind bug Related: knative#13395 * add allowPrivilegeEscalation to manifests Co-authored-by: Matt Moore <mattmoor@chainguard.dev> * Add missing allowPrivilegeEscalation patch into 1-serving-crds.yaml (#1301) * fix download script Co-authored-by: Matt Moore <mattmoor@chainguard.dev> Co-authored-by: Kenjiro Nakayama <nakayamakenjiro@gmail.com>
openshift-merge-robot
pushed a commit
to openshift-knative/serving
that referenced
this pull request
Dec 22, 2022
…e` on ksvc. (#18) (#90) * [RELEASE-1.5] [BACKPORT] Feature: Let users set allowPrivilegeEscalation (#1282) * Feature: Let users set `allowPrivilegeEscalation = false` on ksvc. (knative#13395) :gift: This allows used to specify `allowPrivilegeEscalation` (in particular to false) to ensure that processes cannot escalate privileges. Kicking the tires on the new GKE security posture dashboard, I noticed that ~all Knative services get flagged for this despite Knative not allowing me to set it to false! https://cloud.google.com/kubernetes-engine/docs/concepts/about-security-posture-dashboard /kind bug * Fix: Add the new `AllowPrivilegeEscalation` field to the *other* fieldmask. (knative#13402) :bug: My previous changed missed the new config file that controls how the CRD schema is updated. You can now clearly see the fields being added to the schemas. Apologies for the break, I had no clue this was a thing! /kind bug Related: knative#13395 * add allowPrivilegeEscalation to manifests Co-authored-by: Matt Moore <mattmoor@chainguard.dev> * Add missing allowPrivilegeEscalation patch into 1-serving-crds.yaml (#1301) * fix download script Co-authored-by: Matt Moore <mattmoor@chainguard.dev> Co-authored-by: Kenjiro Nakayama <nakayamakenjiro@gmail.com> Co-authored-by: Stavros Kontopoulos <st.kontopoulos@gmail.com> Co-authored-by: Matt Moore <mattmoor@chainguard.dev> Co-authored-by: Kenjiro Nakayama <nakayamakenjiro@gmail.com>
wmfgerrit
pushed a commit
to wikimedia/operations-docker-images-production-images
that referenced
this pull request
Feb 5, 2025
Bug: T369493 Change-Id: Id1c8febe84e5c207491322a19168cac1359eb411
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🐛 My previous changed missed the new config file that controls how the CRD schema is updated.
You can now clearly see the fields being added to the schemas.
Apologies for the break, I had no clue this was a thing!
/kind bug
Related: #13395
/cc @evankanderson @psschwei