Bug 2108858: lib/resourcemerge: change SecurityContext reconcile #804
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
openshift-ci
bot
added
the
approved
jottofar
force-pushed
the
sec-ctx
branch
2 times, most recently
from
cd65134 to
f220066
Compare
jottofar
force-pushed
the
sec-ctx
branch
5 times, most recently
from
c6b101d to
3811c8c
Compare
|
/retitle Bug 2108858: lib/resourcemerge: change SecurityContext reconcile |
openshift-ci
bot
changed the title
openshift-ci
bot
added
bugzilla/severity-high
|
@jottofar: This pull request references Bugzilla bug 2108858, which is valid. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
Requesting review from QA contact: DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/test unit |
|
@jottofar: This pull request references Bugzilla bug 2108858, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
jottofar
force-pushed
the
sec-ctx
branch
2 times, most recently
from
dcbfb82 to
c4b0b4a
Compare
|
@jottofar: This pull request references Bugzilla bug 2108858, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/test unit |
to handle securityContext changes differently. Since d9f6718, if a securityContext is not explicitly specified in the manifest the resource's securityContext will remain unchanged and it will continue to use the securityContext setting of the currently running resource (if there is one). We're not sure of the exact reason the logic was originally developed in this manner but this change joins a series of similar previous tightenings, including openshift@02bb9ba (lib/resourcemerge/core: Clear env and envFrom if unset in manifest, 2021-04-20, openshift#549) and openshift@ca299b8 (lib/resourcemerge: remove ports which are no longer required, 2020-02-13, openshift#322). Reconciliation has been changed such that the entire securityContext structure, or any sub field of it, will be cleared if not specified in the manifest. This change affects Deployments, Jobs, and DaemonSets. It affects the securityContext found in both a PodSpec and a Container. Since the functions setInt64Ptr and setBoolPtr have been changed the impact is wide affecting ServiceAccounts, the PodSpec fields ShareProcessNamespace and TerminationGracePeriodSeconds, and the Job fields ActiveDeadlineSeconds and ManualSelector. For example, prior to this change assume Deployment machine-api-operator is running on the cluster with the following: securityContext: runAsNonRoot: true runAsUser: 65534 and during an upgrade the Deployment machine-api-operator no longer specifies a securityContext. The resulting upgraded Deployment machine-api-operator will still have the original securityContext: securityContext: runAsNonRoot: true runAsUser: 65534 Similarly, there is no way to remove, or clear, a securityContext field such as runAsUser. You can only modify it. After this change the above scenario will correctly result in the Deployment machine-api-operator not specifying securityContext upon upgrade completion. The changes apply to both the SecurityContext within a Container and the PodSecurityContext within a PodSpec.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jottofar, LalatenduMohanty, wking The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@jottofar: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
@jottofar: All pull requests linked via external trackers have merged: Bugzilla bug 2108858 has been moved to the MODIFIED state. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
5 participants
to handle securityContext changes differently. Since d9f6718, if a securityContext is not explicitly specified in the manifest the resource's securityContext will remain unchanged and it will continue to use the securityContext setting of the currently running resource (if there is one). We're not sure of the exact reason the logic was originally developed in this manner but this change joins a series of similar previous tightenings, including 02bb9ba (lib/resourcemerge/core: Clear env and envFrom if unset in
manifest, 2021-04-20, #549) and ca299b8 (lib/resourcemerge: remove ports which are no longer required, 2020-02-13, #322).
Reconciliation has been changed such that the entire securityContext structure, or any sub field of it, will be cleared if not specified in the manifest. This change affects Deployments, Jobs, and DaemonSets. It affects the securityContext found in both a PodSpec and a Container. Since the functions setInt64Ptr and setBoolPtr have been changed the impact is wide affecting ServiceAccounts, the PodSpec fields ShareProcessNamespace and TerminationGracePeriodSeconds, and the Job fields
ActiveDeadlineSeconds and ManualSelector.
For example, prior to this change assume Deployment machine-api-operator is running on the cluster with the following:
securityContext:
runAsNonRoot: true
runAsUser: 65534
and during an upgrade the Deployment machine-api-operator no longer specifies a securityContext. The resulting upgraded Deployment machine-api-operator will still have the original securityContext:
securityContext:
runAsNonRoot: true
runAsUser: 65534
Similarly, there is no way to remove, or clear, a securityContext field such as
runAsUser. You can only modify it.After this change the above scenario will correctly result in the Deployment machine-api-operator not specifying securityContext upon upgrade completion.
The changes apply to both the
SecurityContext[1] within aContainerand thePodSecurityContext[2] within aPodSpec.[1]
cluster-version-operator/vendor/k8s.io/api/core/v1/types.go
Line 2429 in e0c9203
[2]
cluster-version-operator/vendor/k8s.io/api/core/v1/types.go
Line 2429 in e0c9203