AUTH-2: reenable PodSecurity on privileged level#1308
AUTH-2: reenable PodSecurity on privileged level#1308openshift-merge-robot merged 1 commit intoopenshift:masterfrom
Conversation
|
yes i see the reason failures in the e2e logs, however audit doesn't contain them, i.e. from https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/openshift_cluster-kube-apiserver-operator/1308/pull-ci-openshift-cluster-kube-apiserver-operator-master-e2e-aws-serial/1491066281317634048: @stlaz can you check why we have no audit entries for pod-security? |
|
xref'ing openshift/kubernetes#1128 this is the backport PR which I am keeping up-to-date with upstream. |
|
@stlaz i see you bumped audit entries to |
|
I did not notice your earlier comments and was bumping the audit and warn levels in the meantime to see what's going to block us from moving further to the more restrictive level. I'll check the audit logs now and see whether we've got something. |
@s-urbaniak I see what's the issue - upstream changed the annotation to |
doh, you're right. now we get nice result of e2e test offenders: I am wrapping up the upstream e2e tests, once I have a 👍 from ligitt we can ping on merging the downstream backport and fix the downstream e2e tests. |
|
/retest |
1 similar comment
|
/retest |
|
retesting, as the first one most likely didn't have the necessary changes yet. I will:
|
|
/retest |
|
/retest |
7 similar comments
|
/retest |
|
/retest |
|
/retest |
|
/retest |
|
/retest |
|
/retest |
|
/retest |
|
/retest |
|
/retest |
stlaz
changed the title
|
Moving the enforce to privileged so that we can reiterate on tests easier. We'll move to restricted soon(-ish maybe). |
|
/retest |
|
/lgtm |
|
/retest-required |
|
/hold |
openshift-ci
Bot
added
the
do-not-merge/hold
|
/retest-required |
|
/hold cancel |
openshift-ci
Bot
removed
the
do-not-merge/hold
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
6 similar comments
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/hold |
openshift-ci
Bot
added
the
do-not-merge/hold
|
/hold cancel |
openshift-ci
Bot
removed
the
do-not-merge/hold
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
@stlaz: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
2 similar comments
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
Issue https://bugzilla.redhat.com/show_bug.cgi?id=2079292 Problem: In Kubernetes v1.23 the PodSecurity feature is enabled by default, OpenShift is making use of this feature and by default some expectations are already set [1], these expectations end up triggering a lot of alarms in the logs of CMO and workload running on the UWM namespace. [1] openshift/cluster-kube-apiserver-operator#1308 Solution: Add PodSecurity namespace labels to allow workloads running on UWM to have full privileges which will silence the alerts
Issue https://bugzilla.redhat.com/show_bug.cgi?id=2079292 Problem: In Kubernetes v1.23 the PodSecurity feature is enabled by default, OpenShift is making use of this feature and by default some expectations are already set [1], these expectations end up triggering a lot of alarms in the logs of CMO and workload running on the UWM namespace. [1] openshift/cluster-kube-apiserver-operator#1308 Solution: Add PodSecurity namespace labels to allow workloads running on UWM to have full privileges which will silence the alerts
Issue https://bugzilla.redhat.com/show_bug.cgi?id=2079292 Problem: In Kubernetes v1.23 the PodSecurity feature is enabled by default, OpenShift is making use of this feature and by default some expectations are already set [1], these expectations end up triggering a lot of alarms in the logs of CMO and workload running on the UWM namespace. [1] openshift/cluster-kube-apiserver-operator#1308 Solution: Annotate deployments that violate the PodSecurity mode restricted on the UWM namespace
Issue https://bugzilla.redhat.com/show_bug.cgi?id=2079292 Problem: In Kubernetes v1.23 the PodSecurity feature is enabled by default, OpenShift is making use of this feature and by default some expectations are already set [1], these expectations end up triggering a lot of alarms in the logs of CMO and workload running on the UWM namespace. [1] openshift/cluster-kube-apiserver-operator#1308 Solution: Annotate deployments that violate the PodSecurity mode restricted on the UWM namespace
Issue https://bugzilla.redhat.com/show_bug.cgi?id=2079292 Problem: In Kubernetes v1.23 the PodSecurity feature is enabled by default, OpenShift is making use of this feature and by default some expectations are already set [1], these expectations end up triggering a lot of alarms in the logs of CMO and workload running on the UWM namespace. [1] openshift/cluster-kube-apiserver-operator#1308 Solution: Annotate deployments that violate the PodSecurity mode restricted on the UWM namespace
Issue https://bugzilla.redhat.com/show_bug.cgi?id=2079292 Problem: In Kubernetes v1.23 the PodSecurity feature is enabled by default, OpenShift is making use of this feature and by default some expectations are already set [1], these expectations end up triggering a lot of alarms in the logs of CMO and workload running on the UWM namespace. [1] openshift/cluster-kube-apiserver-operator#1308 Solution: Annotate deployments that violate the PodSecurity mode restricted on the UWM namespace and update the SCC used by the SA of the prometheus instance in UWM
Issue https://bugzilla.redhat.com/show_bug.cgi?id=2079292 Problem: In Kubernetes v1.23 the PodSecurity feature is enabled by default, OpenShift is making use of this feature and by default some expectations are already set [1], these expectations end up triggering a lot of alarms in the logs of CMO and workload running on the UWM namespace. [1] openshift/cluster-kube-apiserver-operator#1308 Solution: Annotate deployments that violate the PodSecurity mode restricted on the UWM namespace and update the SCC used by the SA of the prometheus instance in UWM
5 participants
This enables the PodSecurity admission with baseline level (for now). I suspect it might break tests, which is where @s-urbaniak's upstream involvement in the e2e framework might come handy.
/cc @s-urbaniak
/cc @openshift/openshift-team-auth-maintainers