Sync upstream release (#460)

* Min TLS for tag to digest defaults to 1.2 again and is configurable (knative#13963) quay.io only supports 1.2 Co-authored-by: dprotaso <[email protected]> * drop safe to evict annotations (knative#14051) this prevents nodes from draining Co-authored-by: dprotaso <[email protected]> * [release-1.10] RandomChoice 2 policy wasn't random when the number of targets is 2 (with equal weight) (knative#14052) * RandomChoice 2 policy wasn't random when the number of targets is 2 * fix linting --------- Co-authored-by: dprotaso <[email protected]> * [release-1.10] fix securityContext for Knative Service Pod (user-container and queue-proxy) (knative#14377) * add seccompProfile to queue container security context * run as non root by default * update tests to expect new default run as nonroot * fix perms --------- Co-authored-by: Clay Kauzlaric <[email protected]> Co-authored-by: Dave Protasowski <[email protected]> * Fix secure pod defaults backports --------- Co-authored-by: Knative Prow Robot <[email protected]> Co-authored-by: dprotaso <[email protected]> Co-authored-by: Clay Kauzlaric <[email protected]>
openshift-knative · Oct 2, 2023 · c13b18d · c13b18d
1 parent 08434db
commit c13b18d
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 12 deletions.
diff --git a/openshift/patches/010-secure-pod-defaults.patch b/openshift/patches/010-secure-pod-defaults.patch
@@ -1,8 +1,8 @@
 diff --git a/pkg/apis/serving/v1/revision_defaults.go b/pkg/apis/serving/v1/revision_defaults.go
-index 8acbf3446..48c439b4a 100644
+index 2b3f5f2f2..b0960e6c3 100644
 --- a/pkg/apis/serving/v1/revision_defaults.go
 +++ b/pkg/apis/serving/v1/revision_defaults.go
-@@ -184,21 +184,14 @@ func (rs *RevisionSpec) defaultSecurityContext(psc *corev1.PodSecurityContext, c
+@@ -189,21 +189,14 @@ func (rs *RevisionSpec) defaultSecurityContext(psc *corev1.PodSecurityContext, c
  	if updatedSC.AllowPrivilegeEscalation == nil {
  		updatedSC.AllowPrivilegeEscalation = ptr.Bool(false)
  	}
@@ -26,24 +26,28 @@ index 8acbf3446..48c439b4a 100644
  				needsLowPort = true
  				break
  			}
-@@ -207,7 +200,9 @@ func (rs *RevisionSpec) defaultSecurityContext(psc *corev1.PodSecurityContext, c
+@@ -212,11 +205,9 @@ func (rs *RevisionSpec) defaultSecurityContext(psc *corev1.PodSecurityContext, c
  			updatedSC.Capabilities.Add = []corev1.Capability{"NET_BIND_SERVICE"}
  		}
  	}
 -
+-	if psc.RunAsNonRoot == nil {
 +	if psc.RunAsNonRoot == nil && updatedSC.RunAsNonRoot == nil {
-+		updatedSC.RunAsNonRoot = ptr.Bool(true)
-+	}
+ 		updatedSC.RunAsNonRoot = ptr.Bool(true)
+ 	}
+-
  	if *updatedSC != (corev1.SecurityContext{}) {
  		container.SecurityContext = updatedSC
  	}
 diff --git a/pkg/apis/serving/v1/revision_defaults_test.go b/pkg/apis/serving/v1/revision_defaults_test.go
-index 332fecfb4..401cac325 100644
+index 0fe5e6507..401cac325 100644
 --- a/pkg/apis/serving/v1/revision_defaults_test.go
 +++ b/pkg/apis/serving/v1/revision_defaults_test.go
-@@ -901,9 +901,7 @@ func TestRevisionDefaulting(t *testing.T) {
+@@ -900,11 +900,8 @@ func TestRevisionDefaulting(t *testing.T) {
+ 						ReadinessProbe: defaultProbe,
  						Resources:      defaultResources,
  						SecurityContext: &corev1.SecurityContext{
+-							RunAsNonRoot:             ptr.Bool(true),
  							AllowPrivilegeEscalation: ptr.Bool(false),
 -							SeccompProfile: &corev1.SeccompProfile{
 -								Type: corev1.SeccompProfileTypeRuntimeDefault,
@@ -52,9 +56,11 @@ index 332fecfb4..401cac325 100644
  							Capabilities: &corev1.Capabilities{
  								Drop: []corev1.Capability{"ALL"},
  								Add:  []corev1.Capability{"NET_BIND_SERVICE"},
-@@ -914,9 +912,7 @@ func TestRevisionDefaulting(t *testing.T) {
+@@ -914,11 +911,8 @@ func TestRevisionDefaulting(t *testing.T) {
+ 						Name:      "sidecar",
  						Resources: defaultResources,
  						SecurityContext: &corev1.SecurityContext{
+-							RunAsNonRoot:             ptr.Bool(true),
  							AllowPrivilegeEscalation: ptr.Bool(false),
 -							SeccompProfile: &corev1.SeccompProfile{
 -								Type: corev1.SeccompProfileTypeRuntimeDefault,
@@ -63,9 +69,11 @@ index 332fecfb4..401cac325 100644
  							Capabilities: &corev1.Capabilities{
  								Drop: []corev1.Capability{"ALL"},
  							},
-@@ -926,9 +922,7 @@ func TestRevisionDefaulting(t *testing.T) {
+@@ -927,11 +921,8 @@ func TestRevisionDefaulting(t *testing.T) {
+ 						Name:      "special-sidecar",
  						Resources: defaultResources,
  						SecurityContext: &corev1.SecurityContext{
+-							RunAsNonRoot:             ptr.Bool(true),
  							AllowPrivilegeEscalation: ptr.Bool(true),
 -							SeccompProfile: &corev1.SeccompProfile{
 -								Type: corev1.SeccompProfileTypeRuntimeDefault,
@@ -74,25 +82,35 @@ index 332fecfb4..401cac325 100644
  							Capabilities: &corev1.Capabilities{
  								Add:  []corev1.Capability{"NET_ADMIN"},
  								Drop: []corev1.Capability{},
-@@ -943,6 +937,7 @@ func TestRevisionDefaulting(t *testing.T) {
+@@ -941,12 +932,12 @@ func TestRevisionDefaulting(t *testing.T) {
+ 					InitContainers: []corev1.Container{{
+ 						Name: "special-init",
+ 						SecurityContext: &corev1.SecurityContext{
+-							RunAsNonRoot:             ptr.Bool(true),
+ 							AllowPrivilegeEscalation: ptr.Bool(true),
+ 							SeccompProfile: &corev1.SeccompProfile{
  								Type:             corev1.SeccompProfileTypeLocalhost,
  								LocalhostProfile: ptr.String("special"),
  							},
 +							RunAsNonRoot: ptr.Bool(true),
  							Capabilities: &corev1.Capabilities{
  								Add: []corev1.Capability{"NET_ADMIN"},
  							},
-@@ -1001,6 +996,7 @@ func TestRevisionDefaulting(t *testing.T) {
+@@ -1004,8 +995,8 @@ func TestRevisionDefaulting(t *testing.T) {
+ 						ReadinessProbe: defaultProbe,
  						Resources:      defaultResources,
  						SecurityContext: &corev1.SecurityContext{
+-							RunAsNonRoot:             ptr.Bool(true),
  							AllowPrivilegeEscalation: ptr.Bool(false),
 +							RunAsNonRoot:             ptr.Bool(true),
  							Capabilities: &corev1.Capabilities{
  								Drop: []corev1.Capability{"ALL"},
  							},
-@@ -1010,6 +1006,7 @@ func TestRevisionDefaulting(t *testing.T) {
+@@ -1014,8 +1005,8 @@ func TestRevisionDefaulting(t *testing.T) {
+ 					InitContainers: []corev1.Container{{
  						Name: "init",
  						SecurityContext: &corev1.SecurityContext{
+-							RunAsNonRoot:             ptr.Bool(true),
  							AllowPrivilegeEscalation: ptr.Bool(false),
 +							RunAsNonRoot:             ptr.Bool(true),
  							Capabilities: &corev1.Capabilities{
@@ -112,3 +130,17 @@ index af1498dee..96e4839a9 100644
  }
 
  func TestUnsafePermitted(t *testing.T) {
+diff --git a/pkg/reconciler/revision/resources/queue.go b/pkg/reconciler/revision/resources/queue.go
+index 1fb964a53..b8cd617ef 100644
+--- a/pkg/reconciler/revision/resources/queue.go
++++ b/pkg/reconciler/revision/resources/queue.go
+@@ -86,9 +86,6 @@ var (
+ 		Capabilities: &corev1.Capabilities{
+ 			Drop: []corev1.Capability{"ALL"},
+ 		},
+-		SeccompProfile: &corev1.SeccompProfile{
+-			Type: corev1.SeccompProfileTypeRuntimeDefault,
+-		},
+ 	}
+ )
+
diff --git a/vendor/k8s.io/code-generator/generate-groups.sh b/vendor/k8s.io/code-generator/generate-groups.sh
diff --git a/vendor/knative.dev/pkg/hack/generate-knative.sh b/vendor/knative.dev/pkg/hack/generate-knative.sh