diff --git a/openshift/patches/010-secure-pod-defaults.patch b/openshift/patches/010-secure-pod-defaults.patch index 2afe99c00464..f836aa6c3f96 100644 --- a/openshift/patches/010-secure-pod-defaults.patch +++ b/openshift/patches/010-secure-pod-defaults.patch @@ -1,8 +1,8 @@ diff --git a/pkg/apis/serving/v1/revision_defaults.go b/pkg/apis/serving/v1/revision_defaults.go -index 8acbf3446..48c439b4a 100644 +index 2b3f5f2f2..b0960e6c3 100644 --- a/pkg/apis/serving/v1/revision_defaults.go +++ b/pkg/apis/serving/v1/revision_defaults.go -@@ -184,21 +184,14 @@ func (rs *RevisionSpec) defaultSecurityContext(psc *corev1.PodSecurityContext, c +@@ -189,21 +189,14 @@ func (rs *RevisionSpec) defaultSecurityContext(psc *corev1.PodSecurityContext, c if updatedSC.AllowPrivilegeEscalation == nil { updatedSC.AllowPrivilegeEscalation = ptr.Bool(false) } @@ -26,24 +26,28 @@ index 8acbf3446..48c439b4a 100644 needsLowPort = true break } -@@ -207,7 +200,9 @@ func (rs *RevisionSpec) defaultSecurityContext(psc *corev1.PodSecurityContext, c +@@ -212,11 +205,9 @@ func (rs *RevisionSpec) defaultSecurityContext(psc *corev1.PodSecurityContext, c updatedSC.Capabilities.Add = []corev1.Capability{"NET_BIND_SERVICE"} } } - +- if psc.RunAsNonRoot == nil { + if psc.RunAsNonRoot == nil && updatedSC.RunAsNonRoot == nil { -+ updatedSC.RunAsNonRoot = ptr.Bool(true) -+ } + updatedSC.RunAsNonRoot = ptr.Bool(true) + } +- if *updatedSC != (corev1.SecurityContext{}) { container.SecurityContext = updatedSC } diff --git a/pkg/apis/serving/v1/revision_defaults_test.go b/pkg/apis/serving/v1/revision_defaults_test.go -index 332fecfb4..401cac325 100644 +index 0fe5e6507..401cac325 100644 --- a/pkg/apis/serving/v1/revision_defaults_test.go +++ b/pkg/apis/serving/v1/revision_defaults_test.go -@@ -901,9 +901,7 @@ func TestRevisionDefaulting(t *testing.T) { +@@ -900,11 +900,8 @@ func TestRevisionDefaulting(t *testing.T) { + ReadinessProbe: defaultProbe, Resources: defaultResources, SecurityContext: &corev1.SecurityContext{ +- RunAsNonRoot: ptr.Bool(true), AllowPrivilegeEscalation: ptr.Bool(false), - SeccompProfile: &corev1.SeccompProfile{ - Type: corev1.SeccompProfileTypeRuntimeDefault, @@ -52,9 +56,11 @@ index 332fecfb4..401cac325 100644 Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, Add: []corev1.Capability{"NET_BIND_SERVICE"}, -@@ -914,9 +912,7 @@ func TestRevisionDefaulting(t *testing.T) { +@@ -914,11 +911,8 @@ func TestRevisionDefaulting(t *testing.T) { + Name: "sidecar", Resources: defaultResources, SecurityContext: &corev1.SecurityContext{ +- RunAsNonRoot: ptr.Bool(true), AllowPrivilegeEscalation: ptr.Bool(false), - SeccompProfile: &corev1.SeccompProfile{ - Type: corev1.SeccompProfileTypeRuntimeDefault, @@ -63,9 +69,11 @@ index 332fecfb4..401cac325 100644 Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, -@@ -926,9 +922,7 @@ func TestRevisionDefaulting(t *testing.T) { +@@ -927,11 +921,8 @@ func TestRevisionDefaulting(t *testing.T) { + Name: "special-sidecar", Resources: defaultResources, SecurityContext: &corev1.SecurityContext{ +- RunAsNonRoot: ptr.Bool(true), AllowPrivilegeEscalation: ptr.Bool(true), - SeccompProfile: &corev1.SeccompProfile{ - Type: corev1.SeccompProfileTypeRuntimeDefault, @@ -74,7 +82,13 @@ index 332fecfb4..401cac325 100644 Capabilities: &corev1.Capabilities{ Add: []corev1.Capability{"NET_ADMIN"}, Drop: []corev1.Capability{}, -@@ -943,6 +937,7 @@ func TestRevisionDefaulting(t *testing.T) { +@@ -941,12 +932,12 @@ func TestRevisionDefaulting(t *testing.T) { + InitContainers: []corev1.Container{{ + Name: "special-init", + SecurityContext: &corev1.SecurityContext{ +- RunAsNonRoot: ptr.Bool(true), + AllowPrivilegeEscalation: ptr.Bool(true), + SeccompProfile: &corev1.SeccompProfile{ Type: corev1.SeccompProfileTypeLocalhost, LocalhostProfile: ptr.String("special"), }, @@ -82,17 +96,21 @@ index 332fecfb4..401cac325 100644 Capabilities: &corev1.Capabilities{ Add: []corev1.Capability{"NET_ADMIN"}, }, -@@ -1001,6 +996,7 @@ func TestRevisionDefaulting(t *testing.T) { +@@ -1004,8 +995,8 @@ func TestRevisionDefaulting(t *testing.T) { + ReadinessProbe: defaultProbe, Resources: defaultResources, SecurityContext: &corev1.SecurityContext{ +- RunAsNonRoot: ptr.Bool(true), AllowPrivilegeEscalation: ptr.Bool(false), + RunAsNonRoot: ptr.Bool(true), Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, -@@ -1010,6 +1006,7 @@ func TestRevisionDefaulting(t *testing.T) { +@@ -1014,8 +1005,8 @@ func TestRevisionDefaulting(t *testing.T) { + InitContainers: []corev1.Container{{ Name: "init", SecurityContext: &corev1.SecurityContext{ +- RunAsNonRoot: ptr.Bool(true), AllowPrivilegeEscalation: ptr.Bool(false), + RunAsNonRoot: ptr.Bool(true), Capabilities: &corev1.Capabilities{ @@ -112,3 +130,17 @@ index af1498dee..96e4839a9 100644 } func TestUnsafePermitted(t *testing.T) { +diff --git a/pkg/reconciler/revision/resources/queue.go b/pkg/reconciler/revision/resources/queue.go +index 1fb964a53..b8cd617ef 100644 +--- a/pkg/reconciler/revision/resources/queue.go ++++ b/pkg/reconciler/revision/resources/queue.go +@@ -86,9 +86,6 @@ var ( + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"ALL"}, + }, +- SeccompProfile: &corev1.SeccompProfile{ +- Type: corev1.SeccompProfileTypeRuntimeDefault, +- }, + } + ) + diff --git a/vendor/k8s.io/code-generator/generate-groups.sh b/vendor/k8s.io/code-generator/generate-groups.sh old mode 100644 new mode 100755 diff --git a/vendor/knative.dev/pkg/hack/generate-knative.sh b/vendor/knative.dev/pkg/hack/generate-knative.sh old mode 100644 new mode 100755