Skip to content

webhook: enforce min memory limits and allow privileged containers #418

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 12, 2025
Merged

webhook: enforce min memory limits and allow privileged containers #418

merged 2 commits into from
Nov 12, 2025

Conversation

@Redent0r
Copy link

@Redent0r Redent0r commented Oct 28, 2025

Merge Checklist
Summary

This merges to msft-main the current webhook implementation we use in conformance tests. We differ from the upstream implementation in 2 ways:

Associated issues
Links to CVEs
Test Methodology

https://dev.azure.com/mariner-org/mariner/_build/results?buildId=963302&view=results

@Redent0r Redent0r requested review from a team as code owners October 28, 2025 17:18
@Redent0r Redent0r added the upstream/not-needed PRs that will not be upstreamed (e.g. internal) label Oct 28, 2025
@Redent0r Redent0r requested review from danmihai1 and sprt October 28, 2025 17:19
sprt
sprt reviewed Oct 28, 2025
View reviewed changes
Copy link

@sprt sprt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Redent0r Could you upstream the privileged commit? Do you know who uses the webhook upstream?

@Camelron @danmihai1 Does it make any sense to upstream the memory limit commit (which is already behind a flag) given how we handle memory?

@danmihai1
Copy link

danmihai1 commented Oct 28, 2025

@Redent0r Could you upstream the privileged commit? Do you know who uses the webhook upstream?

@Camelron @danmihai1 Does it make any sense to upstream the memory limit commit (which is already behind a flag) given how we handle memory?

Someone would have to carefully compare the upstream behavior with the behavior of CLH + MSHV. I expect that it's very different and the discussion with upstream would take a long time.

@Redent0r
Copy link
Author

Redent0r commented Oct 28, 2025

@Redent0r Could you upstream the privileged commit? Do you know who uses the webhook upstream?

Judging by CI usage, only openshift https://github.com/kata-containers/kata-containers/blob/main/ci/openshift-ci/peer-pods-azure.sh#L269 I'll reach out

@sprt
Copy link

sprt commented Oct 28, 2025
edited
Loading

@Redent0r Could you upstream the privileged commit? Do you know who uses the webhook upstream?

Judging by CI usage, only openshift https://github.com/kata-containers/kata-containers/blob/main/ci/openshift-ci/peer-pods-azure.sh#L269 I'll reach out

Agreed - we can open a PR and add Lukasz and Greg as reviewers.

@Redent0r Redent0r marked this pull request as draft October 29, 2025 20:18
@sprt sprt added upstream/missing PRs that are yet to be upstreamed and removed upstream/not-needed PRs that will not be upstreamed (e.g. internal) labels Oct 30, 2025
@Redent0r
Copy link
Author

Redent0r commented Oct 31, 2025

@Redent0r Could you upstream the privileged commit? Do you know who uses the webhook upstream?

Judging by CI usage, only openshift https://github.com/kata-containers/kata-containers/blob/main/ci/openshift-ci/peer-pods-azure.sh#L269 I'll reach out

Agreed - we can open a PR and add Lukasz and Greg as reviewers.

kata-containers#12008

@Redent0r Redent0r marked this pull request as ready for review November 11, 2025 17:19
@Redent0r Redent0r requested a review from sprt November 11, 2025 17:21
sprt
sprt approved these changes Nov 11, 2025
View reviewed changes
Copy link

@sprt sprt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but the commit messages could be more descriptive for posterity.

@Redent0r
webhook: enforce minimum memory limit
ff9bc52 
If memory limit is set and less than minimum, set it to minimum.

This is to to account for kata-containers@0ec3403

Signed-off-by: Saul Paredes <[email protected]>
@Redent0r
webhook: allow privileged containers
c7caa15 
As of https://microsoft.visualstudio.com/OS/_workitems/edit/48222512?src=WorkItemMention&src-action=artifact_link ,
we are able to run privileged containers on kata, so allow them through the webhook.

Signed-off-by: Saul Paredes <[email protected]>
@Redent0r Redent0r force-pushed the saulparedes/webhook_manage_resources branch from 41a75a5 to c7caa15 Compare November 12, 2025 18:02
@Redent0r Redent0r added upstream/not-needed PRs that will not be upstreamed (e.g. internal) upstream/merged PRs that have been merged upstream and removed upstream/missing PRs that are yet to be upstreamed labels Nov 12, 2025
@Redent0r Redent0r requested a review from sprt November 12, 2025 18:08
@Redent0r Redent0r merged commit 081d51e into msft-main Nov 12, 2025
59 of 65 checks passed
@Redent0r Redent0r deleted the saulparedes/webhook_manage_resources branch November 12, 2025 19:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sprt sprt sprt approved these changes

@danmihai1 danmihai1 Awaiting requested review from danmihai1

Assignees

No one assigned

Labels

upstream/merged PRs that have been merged upstream upstream/not-needed PRs that will not be upstreamed (e.g. internal)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Redent0r @danmihai1 @sprt