Skip to content
This repository was archived by the owner on Dec 1, 2022. It is now read-only.

RELEASE 1.5][BACKPORT] Run queue proxy with restricted profile #1283

Merged
openshift-merge-robot merged 2 commits into from
Oct 27, 2022
Merged

RELEASE 1.5][BACKPORT] Run queue proxy with restricted profile #1283

openshift-merge-robot merged 2 commits into from
Oct 27, 2022

Conversation

@skonto
Copy link

@skonto skonto commented Oct 19, 2022

Run queue proxy with restricted profile (knative#13376)
705787a 
* allow user workloads to run with restricted profile

* only change queue proxy
@openshift-ci openshift-ci bot requested review from mvinkler and rhuss October 19, 2022 21:16
@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 19, 2022
@skonto skonto changed the title [RELEASE 1.5][Backport] Run queue proxy with restricted profile [RELEASE 1.5][BACKPORT] Run queue proxy with restricted profile Oct 19, 2022
@skonto
Copy link
Author

skonto commented Oct 20, 2022

/retest

@skonto skonto mentioned this pull request Oct 20, 2022
Closed
@skonto skonto changed the title [RELEASE 1.5][BACKPORT] Run queue proxy with restricted profile [wip]RELEASE 1.5][BACKPORT] Run queue proxy with restricted profile Oct 20, 2022
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 20, 2022
@skonto
Copy link
Author

skonto commented Oct 20, 2022

/retest

@skonto
Copy link
Author

skonto commented Oct 24, 2022

/assign @nak3

@skonto skonto requested review from nak3 and removed request for mvinkler and rhuss October 24, 2022 20:30
@nak3
Copy link

nak3 commented Oct 25, 2022

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Oct 25, 2022
@openshift-ci
Copy link

openshift-ci bot commented Oct 25, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: nak3, skonto

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@skonto
Copy link
Author

skonto commented Oct 26, 2022
edited
Loading

Btw it seems that OCP adds some capabilities already by default as testing with:
kubernetes.podspec-securitycontext: enabled and

apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  name: helloworld-go
spec:
  template:
    metadata:
      labels:
        app: helloworld-go
      annotations:
        autoscaling.knative.dev/minScale: "1"
        autoscaling.knative.dev/target: "1"
    spec:
      securityContext:
        seccompProfile:
          type: RuntimeDefault
      containers:
      - image: docker.io/skonto/helloworld-go:user
        imagePullPolicy: Always
        resources:
          requests:
            cpu: "200m"
        env:
        - name: TARGET
          value: "Go Sample v1"
        securityContext:
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          capabilities:
            drop:
            - ALL

Gives the following for the queue-proxy container:

                        "securityContext": {
                            "allowPrivilegeEscalation": false,
                            "capabilities": {
                                "drop": [
                                    "ALL",
                                    "all"
                                ]
                            },
                            "readOnlyRootFilesystem": true,
                            "runAsNonRoot": true,
                            "runAsUser": 1000770000
                        },

This was tested on 4.12.0-ec.4 in a new namespace where we enforce restricted:

$ oc describe ns test
Name:         test
Labels:       kubernetes.io/metadata.name=test
              pod-security.kubernetes.io/enforce=restricted
              pod-security.kubernetes.io/enforce-version=v1.24
Annotations:  openshift.io/sa.scc.mcs: s0:c28,c7
              openshift.io/sa.scc.supplemental-groups: 1000770000/10000
              openshift.io/sa.scc.uid-range: 1000770000/10000
Status:       Active

$ oc get pods -n test 
NAME                                              READY   STATUS    RESTARTS   AGE
helloworld-go-00001-deployment-75f554f5d8-fwwcb   2/2     Running   0          11m

Full pods description here.

@skonto
Copy link
Author

skonto commented Oct 26, 2022

Ready to merge.

@skonto skonto changed the title [wip]RELEASE 1.5][BACKPORT] Run queue proxy with restricted profile RELEASE 1.5][BACKPORT] Run queue proxy with restricted profile Oct 26, 2022
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 26, 2022
@skonto
Copy link
Author

skonto commented Oct 26, 2022

/retest

@skonto
Copy link
Author

skonto commented Oct 27, 2022
edited
Loading

/test 410-e2e-aws-ocp-410

@openshift-ci
Copy link

openshift-ci bot commented Oct 27, 2022

@skonto: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@openshift-merge-robot openshift-merge-robot merged commit 9a22e0e into openshift:release-v1.5 Oct 27, 2022
openshift-cherrypick-robot pushed a commit to openshift-cherrypick-robot/knative-serving that referenced this pull request Nov 16, 2022
RELEASE 1.5][BACKPORT] Run queue proxy with restricted profile (opens…
95818ac 
…hift#1283)

* Run queue proxy with restricted profile (knative#13376)

* allow user workloads to run with restricted profile

* only change queue proxy

* remove seccomp
openshift-cherrypick-robot added a commit to openshift-cherrypick-robot/knative-serving that referenced this pull request Nov 24, 2022
@openshift-cherrypick-robot
RELEASE 1.5][BACKPORT] Run queue proxy with restricted profile (opens…
61c105a 
…hift#1283) (openshift#19)

* Run queue proxy with restricted profile (knative#13376)

* allow user workloads to run with restricted profile

* only change queue proxy

* remove seccomp

Co-authored-by: Stavros Kontopoulos <skontopo@redhat.com>
openshift-cherrypick-robot pushed a commit to openshift-cherrypick-robot/knative-serving that referenced this pull request Nov 24, 2022
@skonto
RELEASE 1.5][BACKPORT] Run queue proxy with restricted profile (opens…
115f25c 
…hift#1283) (openshift#13)

* Run queue proxy with restricted profile (knative#13376)

* allow user workloads to run with restricted profile

* only change queue proxy

* remove seccomp
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@nak3 nak3 Awaiting requested review from nak3

Assignees

@nak3 nak3

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@skonto @nak3 @openshift-merge-robot