Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Explicitly request "use" verb on SCC #1455

Merged
merged 1 commit into from
Nov 22, 2022
Merged

Explicitly request "use" verb on SCC #1455

merged 1 commit into from
Nov 22, 2022

Conversation

phoracek
Copy link
Member

@phoracek phoracek commented Nov 22, 2022
edited
Loading

What this PR does / why we need it:

In order to notify pod-security.kubernetes.io that we intent to create (potentially privileged) SCCs, so it labels us as "privileged", we have to explicitly request "use" verb for scc.

With this change, CNAO's namespace is marked as pod-security.kubernetes.io/enforce: priviledged even before we deploy any of our privileged components. This assures that CNAO does not show up in audit logs.

Special notes for your reviewer:

Release note:

Resolve audit warnings.

@phoracek
Explicitly request "use" verb on SCC
a858bcd 
In order to notify pod-security.kubernetes.io that we intent to
create (potentially privileged) SCCs, so it labels us as "privileged",
we have to explicitly request "use" verb for scc.

With this change, CNAO's namespace is marked as
pod-security.kubernetes.io/enforce: priviledged
even before we deploy any of our privileged components. This assures
that CNAO does not show up in audit logs.

Signed-off-by: Petr Horáček <[email protected]>
@kubevirt-bot
Copy link
Collaborator

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@kubevirt-bot kubevirt-bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. labels Nov 22, 2022
@phoracek phoracek marked this pull request as ready for review November 22, 2022 08:53
@kubevirt-bot kubevirt-bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 22, 2022
@sonarqubecloud
Copy link

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

@qinqon
Copy link
Collaborator

qinqon commented Nov 22, 2022

/lgtm
/approve

@kubevirt-bot kubevirt-bot added the lgtm Indicates that a PR is ready to be merged. label Nov 22, 2022
@kubevirt-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: qinqon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubevirt-bot kubevirt-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 22, 2022
@phoracek
Copy link
Member Author

/retest

@kubevirt-bot kubevirt-bot merged commit 7f29e15 into kubevirt:main Nov 22, 2022
@phoracek
Copy link
Member Author

/cherry-pick release-0.79
/cherry-pick release-0.76

@kubevirt-bot kubevirt-bot mentioned this pull request Nov 22, 2022
Merged
@kubevirt-bot
Copy link
Collaborator

@phoracek: new pull request created: #1457

In response to this:

/cherry-pick release-0.79
/cherry-pick release-0.76

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@phoracek
Copy link
Member Author

/cherry-pick release-0.76

@kubevirt-bot kubevirt-bot mentioned this pull request Nov 22, 2022
Merged
@kubevirt-bot
Copy link
Collaborator

@phoracek: new pull request created: #1458

In response to this:

/cherry-pick release-0.76

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@tiraboschi tiraboschi mentioned this pull request Nov 22, 2022
Closed
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alonSadan alonSadan Awaiting requested review from alonSadan

@qinqon qinqon Awaiting requested review from qinqon

@RamLavi RamLavi Awaiting requested review from RamLavi

Assignees

@qinqon qinqon

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@phoracek @kubevirt-bot @qinqon