[release-1.10] fix securityContext for Knative Service Pod (user-container and queue-proxy) #14377

knative-prow-robot · 2023-09-14T14:24:55Z

This is an automated cherry-pick of #14363

Fix secure 'secure-pod-defaults' to work with restricted namespaces

codecov · 2023-09-14T14:32:41Z

Codecov Report

Patch coverage: 100.00% and project coverage change: +0.03% 🎉

Comparison is base (500756c) 86.20% compared to head (bb92846) 86.23%.

Additional details and impacted files

@@               Coverage Diff                @@
##           release-1.10   #14377      +/-   ##
================================================
+ Coverage         86.20%   86.23%   +0.03%     
================================================
  Files               199      199              
  Lines             14763    14766       +3     
================================================
+ Hits              12726    12734       +8     
+ Misses             1734     1731       -3     
+ Partials            303      301       -2

Files Changed	Coverage Δ
pkg/reconciler/revision/resources/queue.go	`98.22% <ø> (ø)`
pkg/apis/serving/v1/revision_defaults.go	`97.48% <100.00%> (+0.04%)`	⬆️

... and 2 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

dprotaso · 2023-09-14T16:24:05Z

/lgtm
/approve

knative-prow · 2023-09-14T16:24:14Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dprotaso, knative-prow-robot

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [dprotaso]
~~pkg/apis/OWNERS~~ [dprotaso]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

dprotaso · 2023-09-14T18:30:16Z

/override "test (v1.24.7, kourier-tls, e2e)"

knative-prow · 2023-09-14T18:30:20Z

@dprotaso: Overrode contexts on behalf of dprotaso: test (v1.24.7, kourier-tls, e2e)

In response to this:

/override "test (v1.24.7, kourier-tls, e2e)"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

dprotaso · 2023-09-14T18:51:29Z

/override "test (v1.25.3, kourier-tls, e2e)"

knative-prow · 2023-09-14T18:51:32Z

@dprotaso: Overrode contexts on behalf of dprotaso: test (v1.25.3, kourier-tls, e2e)

In response to this:

/override "test (v1.25.3, kourier-tls, e2e)"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

dprotaso · 2023-09-14T19:05:49Z

/override "test (v1.26.0, kourier-tls, e2e)"

knative-prow · 2023-09-14T19:05:52Z

@dprotaso: Overrode contexts on behalf of dprotaso: test (v1.26.0, kourier-tls, e2e)

In response to this:

/override "test (v1.26.0, kourier-tls, e2e)"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

* Min TLS for tag to digest defaults to 1.2 again and is configurable (knative#13963) quay.io only supports 1.2 Co-authored-by: dprotaso <[email protected]> * drop safe to evict annotations (knative#14051) this prevents nodes from draining Co-authored-by: dprotaso <[email protected]> * [release-1.10] RandomChoice 2 policy wasn't random when the number of targets is 2 (with equal weight) (knative#14052) * RandomChoice 2 policy wasn't random when the number of targets is 2 * fix linting --------- Co-authored-by: dprotaso <[email protected]> * [release-1.10] fix securityContext for Knative Service Pod (user-container and queue-proxy) (knative#14377) * add seccompProfile to queue container security context * run as non root by default * update tests to expect new default run as nonroot * fix perms --------- Co-authored-by: Clay Kauzlaric <[email protected]> Co-authored-by: Dave Protasowski <[email protected]> * Fix secure pod defaults backports --------- Co-authored-by: Knative Prow Robot <[email protected]> Co-authored-by: dprotaso <[email protected]> Co-authored-by: Clay Kauzlaric <[email protected]>

* Min TLS for tag to digest defaults to 1.2 again and is configurable (knative#13963) quay.io only supports 1.2 Co-authored-by: dprotaso <[email protected]> * drop safe to evict annotations (knative#14051) this prevents nodes from draining Co-authored-by: dprotaso <[email protected]> * [release-1.10] RandomChoice 2 policy wasn't random when the number of targets is 2 (with equal weight) (knative#14052) * RandomChoice 2 policy wasn't random when the number of targets is 2 * fix linting --------- Co-authored-by: dprotaso <[email protected]> * [release-1.10] fix securityContext for Knative Service Pod (user-container and queue-proxy) (knative#14377) * add seccompProfile to queue container security context * run as non root by default * update tests to expect new default run as nonroot * fix perms --------- Co-authored-by: Clay Kauzlaric <[email protected]> Co-authored-by: Dave Protasowski <[email protected]> * Leave a comment which will trigger a new dot release (knative#14501) * [release-1.10] bump x/net to v0.17 (knative#14517) * [release-1.10] bump x/net to v0.17 * Re-generate test/config/tls/cert-secret.yaml (knative#14324) * Run hack/upgrade * Update secure-pod-defaults patch * Use a static value for S-O branch --------- Co-authored-by: Knative Prow Robot <[email protected]> Co-authored-by: dprotaso <[email protected]> Co-authored-by: Clay Kauzlaric <[email protected]> Co-authored-by: Kenjiro Nakayama <[email protected]>

* Min TLS for tag to digest defaults to 1.2 again and is configurable (knative#13963) quay.io only supports 1.2 Co-authored-by: dprotaso <[email protected]> * drop safe to evict annotations (knative#14051) this prevents nodes from draining Co-authored-by: dprotaso <[email protected]> * [release-1.10] RandomChoice 2 policy wasn't random when the number of targets is 2 (with equal weight) (knative#14052) * RandomChoice 2 policy wasn't random when the number of targets is 2 * fix linting --------- Co-authored-by: dprotaso <[email protected]> * [release-1.10] fix securityContext for Knative Service Pod (user-container and queue-proxy) (knative#14377) * add seccompProfile to queue container security context * run as non root by default * update tests to expect new default run as nonroot * fix perms --------- Co-authored-by: Clay Kauzlaric <[email protected]> Co-authored-by: Dave Protasowski <[email protected]> * Leave a comment which will trigger a new dot release (knative#14501) * [release-1.10] bump x/net to v0.17 (knative#14517) * [release-1.10] bump x/net to v0.17 * Re-generate test/config/tls/cert-secret.yaml (knative#14324) * Run hack/upgrade * Bound buffer for reading stats (knative#14541) Co-authored-by: Evan Anderson <[email protected]> --------- Co-authored-by: Knative Prow Robot <[email protected]> Co-authored-by: dprotaso <[email protected]> Co-authored-by: Clay Kauzlaric <[email protected]> Co-authored-by: Kenjiro Nakayama <[email protected]> Co-authored-by: Evan Anderson <[email protected]>

KauzClay added 3 commits September 14, 2023 14:24

add seccompProfile to queue container security context

4b4ebb4

run as non root by default

1a227be

update tests to expect new default run as nonroot

0d3c8cd

knative-prow-robot mentioned this pull request Sep 14, 2023

fix securityContext for Knative Service Pod (user-container and queue-proxy) #14363

Merged

knative-prow bot added the area/API API objects and controllers label Sep 14, 2023

knative-prow bot requested review from carlisia and skonto September 14, 2023 14:25

knative-prow bot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Sep 14, 2023

fix perms

bb92846

knative-prow bot assigned dprotaso Sep 14, 2023

knative-prow bot added the lgtm Indicates that a PR is ready to be merged. label Sep 14, 2023

knative-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 14, 2023

knative-prow bot merged commit 60754c3 into knative:release-1.10 Sep 14, 2023
54 of 57 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[release-1.10] fix securityContext for Knative Service Pod (user-container and queue-proxy) #14377

[release-1.10] fix securityContext for Knative Service Pod (user-container and queue-proxy) #14377

knative-prow-robot commented Sep 14, 2023 •

edited by dprotaso

Loading

codecov bot commented Sep 14, 2023 •

edited

Loading

dprotaso commented Sep 14, 2023

knative-prow bot commented Sep 14, 2023

dprotaso commented Sep 14, 2023

knative-prow bot commented Sep 14, 2023

dprotaso commented Sep 14, 2023

knative-prow bot commented Sep 14, 2023

dprotaso commented Sep 14, 2023

knative-prow bot commented Sep 14, 2023

[release-1.10] fix securityContext for Knative Service Pod (user-container and queue-proxy) #14377

[release-1.10] fix securityContext for Knative Service Pod (user-container and queue-proxy) #14377

Conversation

knative-prow-robot commented Sep 14, 2023 • edited by dprotaso Loading

codecov bot commented Sep 14, 2023 • edited Loading

Codecov Report

dprotaso commented Sep 14, 2023

knative-prow bot commented Sep 14, 2023

dprotaso commented Sep 14, 2023

knative-prow bot commented Sep 14, 2023

dprotaso commented Sep 14, 2023

knative-prow bot commented Sep 14, 2023

dprotaso commented Sep 14, 2023

knative-prow bot commented Sep 14, 2023

knative-prow-robot commented Sep 14, 2023 •

edited by dprotaso

Loading

codecov bot commented Sep 14, 2023 •

edited

Loading