Skip to content

[RELEASE-1.7] Cherry-pick of allowPrivilegeEscalation patch #90

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-robot merged 1 commit into from
Dec 22, 2022
Merged

[RELEASE-1.7] Cherry-pick of allowPrivilegeEscalation patch #90

openshift-merge-robot merged 1 commit into from
Dec 22, 2022

Conversation

@ReToCode
Copy link

@ReToCode ReToCode commented Dec 20, 2022

Contains: 5b5eb3f and ddc2c42.

@ReToCode ReToCode requested review from nak3 and skonto December 20, 2022 14:21
@openshift-ci openshift-ci bot requested review from alanfx and mgencur December 20, 2022 14:21
@ReToCode
Copy link
Author

ReToCode commented Dec 20, 2022

@skonto in 1.6 SeccompProfile was removed upstream. We need to re-add it here, right?
So we'd also need to add it here: https://github.com/openshift-knative/serving/pull/90/files#diff-b77e64792c940b2c78ffffeef2af115babdd7fa455a1714e4478cec9c9c69593R772?

@ReToCode ReToCode changed the title [RELEASE-1.7] Backport of allowPrivilegeEscalation patch [RELEASE-1.7] Cherry-pick of allowPrivilegeEscalation patch Dec 20, 2022
@ReToCode
Copy link
Author

ReToCode commented Dec 20, 2022

Ah not upstream. Are we also missing #9?

@skonto
Copy link

skonto commented Dec 20, 2022
edited
Loading

Yes we missed #9 there were some cherry-picking left to be done. We usually make sure that all midstream branches are ok before bumping to avoid tests issues at the S-O which are hard to debug. You could bring #9 first in.

@ReToCode
Copy link
Author

ReToCode commented Dec 20, 2022

/hold
for #91

@skonto skonto mentioned this pull request Dec 21, 2022
Merged
@skonto @mattmoor
@nak3 @ReToCode
[RELEASE-1.6] Feature: Let users set `allowPrivilegeEscalation = fals…
ea692b3 
…e` on ksvc. (#18)

* [RELEASE-1.5] [BACKPORT] Feature: Let users set allowPrivilegeEscalation (#1282)

* Feature: Let users set `allowPrivilegeEscalation = false` on ksvc. (knative#13395)

:gift: This allows used to specify `allowPrivilegeEscalation` (in particular to false) to ensure that processes cannot escalate privileges.

Kicking the tires on the new GKE security posture dashboard, I noticed that ~all Knative services get flagged for this despite Knative not allowing me to set it to false!

https://cloud.google.com/kubernetes-engine/docs/concepts/about-security-posture-dashboard

/kind bug

* Fix: Add the new `AllowPrivilegeEscalation` field to the *other* fieldmask. (knative#13402)

:bug: My previous changed missed the new config file that controls how the CRD schema is updated.

You can now clearly see the fields being added to the schemas.

Apologies for the break, I had no clue this was a thing!

/kind bug

Related: knative#13395

* add allowPrivilegeEscalation to manifests

Co-authored-by: Matt Moore <mattmoor@chainguard.dev>

* Add missing allowPrivilegeEscalation patch into 1-serving-crds.yaml (#1301)

* fix download script

Co-authored-by: Matt Moore <mattmoor@chainguard.dev>
Co-authored-by: Kenjiro Nakayama <nakayamakenjiro@gmail.com>
@ReToCode
Copy link
Author

ReToCode commented Dec 22, 2022

/unhold

@nak3
Copy link

nak3 commented Dec 22, 2022

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Dec 22, 2022
@openshift-ci
Copy link

openshift-ci bot commented Dec 22, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: nak3, ReToCode

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-robot openshift-merge-robot merged commit 7a8ea93 into openshift-knative:release-v1.7 Dec 22, 2022
@ReToCode ReToCode deleted the backport-privescalation branch December 22, 2022 10:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nak3 nak3 Awaiting requested review from nak3

@skonto skonto Awaiting requested review from skonto

@alanfx alanfx Awaiting requested review from alanfx

@mgencur mgencur Awaiting requested review from mgencur

Assignees

@nak3 nak3

Labels

approved lgtm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ReToCode @skonto @nak3 @openshift-merge-robot