Skip to content
This repository was archived by the owner on Dec 1, 2022. It is now read-only.

[RELEASE-1.5] [BACKPORT] Feature: Let users set allowPrivilegeEscalation #1282

Merged
openshift-merge-robot merged 3 commits into from
Oct 27, 2022
Merged

[RELEASE-1.5] [BACKPORT] Feature: Let users set allowPrivilegeEscalation #1282

openshift-merge-robot merged 3 commits into from
Oct 27, 2022

Conversation

@skonto
Copy link

@skonto skonto commented Oct 19, 2022
edited
Loading

@openshift-ci openshift-ci bot requested review from mgencur and mvinkler October 19, 2022 21:14
@openshift-ci openshift-ci bot added area/test-and-release Issues or PRs related to test and release approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Oct 19, 2022
@skonto skonto changed the title [RELEASE-1.5] [BACKPORT] Feature: Let users set allowPrivilegeEscalation [wip] [RELEASE-1.5] [BACKPORT] Feature: Let users set allowPrivilegeEscalation Oct 19, 2022
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 19, 2022
@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 26, 2022
mattmoor and others added 3 commits October 27, 2022 14:14
@mattmoor
Feature: Let users set allowPrivilegeEscalation = false on ksvc. (k…
982cd84 
…native#13395)

🎁 This allows used to specify `allowPrivilegeEscalation` (in particular to false) to ensure that processes cannot escalate privileges.

Kicking the tires on the new GKE security posture dashboard, I noticed that ~all Knative services get flagged for this despite Knative not allowing me to set it to false!

https://cloud.google.com/kubernetes-engine/docs/concepts/about-security-posture-dashboard

/kind bug
@mattmoor
Fix: Add the new AllowPrivilegeEscalation field to the *other* fiel…
1fcbffb 
…dmask. (knative#13402)

🐛 My previous changed missed the new config file that controls how the CRD schema is updated.

You can now clearly see the fields being added to the schemas.

Apologies for the break, I had no clue this was a thing!

/kind bug

Related: knative#13395
add allowPrivilegeEscalation to manifests
1c5bf31
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 27, 2022
@skonto
Copy link
Author

skonto commented Oct 27, 2022

/assign @nak3

@skonto skonto changed the title [wip] [RELEASE-1.5] [BACKPORT] Feature: Let users set allowPrivilegeEscalation [RELEASE-1.5] [BACKPORT] Feature: Let users set allowPrivilegeEscalation Oct 27, 2022
@skonto skonto requested a review from nak3 October 27, 2022 11:36
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 27, 2022
@skonto skonto removed request for mgencur and mvinkler October 27, 2022 11:36
@nak3
Copy link

nak3 commented Oct 27, 2022

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Oct 27, 2022
@openshift-ci
Copy link

openshift-ci bot commented Oct 27, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: nak3, skonto

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@skonto
Copy link
Author

skonto commented Oct 27, 2022

/test 410-e2e-aws-ocp-410

@openshift-ci
Copy link

openshift-ci bot commented Oct 27, 2022

@skonto: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@openshift-merge-robot openshift-merge-robot merged commit 5b5eb3f into openshift:release-v1.5 Oct 27, 2022
openshift-cherrypick-robot pushed a commit to openshift-cherrypick-robot/knative-serving that referenced this pull request Nov 24, 2022
@skonto @mattmoor @nak3
[RELEASE-1.6] Feature: Let users set `allowPrivilegeEscalation = fals…
cef28ae 
…e` on ksvc. (openshift#18)

* [RELEASE-1.5] [BACKPORT] Feature: Let users set allowPrivilegeEscalation (openshift#1282)

* Feature: Let users set `allowPrivilegeEscalation = false` on ksvc. (knative#13395)

:gift: This allows used to specify `allowPrivilegeEscalation` (in particular to false) to ensure that processes cannot escalate privileges.

Kicking the tires on the new GKE security posture dashboard, I noticed that ~all Knative services get flagged for this despite Knative not allowing me to set it to false!

https://cloud.google.com/kubernetes-engine/docs/concepts/about-security-posture-dashboard

/kind bug

* Fix: Add the new `AllowPrivilegeEscalation` field to the *other* fieldmask. (knative#13402)

:bug: My previous changed missed the new config file that controls how the CRD schema is updated.

You can now clearly see the fields being added to the schemas.

Apologies for the break, I had no clue this was a thing!

/kind bug

Related: knative#13395

* add allowPrivilegeEscalation to manifests

Co-authored-by: Matt Moore <mattmoor@chainguard.dev>

* Add missing allowPrivilegeEscalation patch into 1-serving-crds.yaml (openshift#1301)

* fix download script

Co-authored-by: Matt Moore <mattmoor@chainguard.dev>
Co-authored-by: Kenjiro Nakayama <nakayamakenjiro@gmail.com>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@nak3 nak3 Awaiting requested review from nak3

Assignees

@nak3 nak3

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. area/test-and-release Issues or PRs related to test and release lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@skonto @nak3 @openshift-merge-robot @mattmoor