Skip to content

Comments

Bug 1977924: [release-4.8] Ensure scc compatibility with BoundServiceAccountTokenVolume#842

Merged
mfojtik merged 2 commits intoopenshift:release-4.8from
stlaz:48_scc_projected_volumes
Jul 2, 2021
Merged

Bug 1977924: [release-4.8] Ensure scc compatibility with BoundServiceAccountTokenVolume#842
mfojtik merged 2 commits intoopenshift:release-4.8from
stlaz:48_scc_projected_volumes

Conversation

@stlaz
Copy link

@stlaz stlaz commented Jul 1, 2021

Previous to the BoundServiceAccountTokenVolume feature being enabled, the automatic mounting of legacy token secrets required that an scc permit secret volume sources either implicitly (by allowing all volume sources) or explicitly (by specifying 'secret' in the set of allowed volumes).

To ensure compatibility with this permission scheme for the projected token volumes enabled by BoundServiceAccountTokenVolume, this commit ensures that the projected volumes of service account tokens will be permitted under the same criteria (i.e. secret volume sources are allowed by an scc).

/cc @sttts @s-urbaniak @marun

marun and others added 2 commits July 1, 2021 16:55
@marun @stlaz
UPSTREAM: <carry>: <squash> Add unit testing for service ca configmap…
e379666 
… publishing

This commit should be squashed with:

UPSTREAM: <carry>: Ensure service ca is mounted for projected tokens
@stlaz
UPSTREAM: <drop>: bump(apiserver-library-go)
77f51a6
@openshift-ci openshift-ci bot requested review from marun, s-urbaniak and sttts July 1, 2021 15:00
@openshift-ci-robot openshift-ci-robot added the backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. label Jul 1, 2021
@openshift-ci openshift-ci bot added the bugzilla/severity-urgent Referenced Bugzilla bug's severity is urgent for the branch this PR is targeting. label Jul 1, 2021
@openshift-ci
Copy link

openshift-ci bot commented Jul 1, 2021

@stlaz: This pull request references Bugzilla bug 1977920, which is invalid:

  • expected the bug to target the "4.8.0" release, but it targets "4.9.0" instead
  • expected Bugzilla bug 1977920 to depend on a bug targeting a release in 4.9.0 and in one of the following states: MODIFIED, ON_QA, VERIFIED, but no dependents were found

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

Bug 1977920: Ensure scc compatibility with BoundServiceAccountTokenVolume

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot added the bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. label Jul 1, 2021
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jul 1, 2021

@stlaz: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

@openshift-ci openshift-ci bot added the vendor-update Touching vendor dir or related files label Jul 1, 2021
@sttts sttts removed the backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. label Jul 1, 2021
@sttts
Copy link

sttts commented Jul 1, 2021

/lgtm
/approve

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jul 1, 2021
@openshift-ci
Copy link

openshift-ci bot commented Jul 1, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: stlaz, sttts

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 1, 2021
@stlaz stlaz changed the title Bug 1977920: Ensure scc compatibility with BoundServiceAccountTokenVolume [4.8] Bug 1977924: Ensure scc compatibility with BoundServiceAccountTokenVolume Jul 1, 2021
@openshift-ci
Copy link

openshift-ci bot commented Jul 1, 2021

@stlaz: This pull request references Bugzilla bug 1977924, which is invalid:

  • expected the bug to be in one of the following states: NEW, ASSIGNED, ON_DEV, POST, POST, but it is ON_QA instead
  • expected dependent Bugzilla bug 1977920 to be in one of the following states: MODIFIED, ON_QA, VERIFIED, but it is POST instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

[4.8] Bug 1977924: Ensure scc compatibility with BoundServiceAccountTokenVolume

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@sttts sttts changed the title [4.8] Bug 1977924: Ensure scc compatibility with BoundServiceAccountTokenVolume Bug 1977924: Ensure scc compatibility with BoundServiceAccountTokenVolume Jul 1, 2021
@sttts
Copy link

sttts commented Jul 1, 2021

/bugzilla refresh

@openshift-ci
Copy link

openshift-ci bot commented Jul 1, 2021

@sttts: This pull request references Bugzilla bug 1977924, which is invalid:

  • expected the bug to be in one of the following states: NEW, ASSIGNED, ON_DEV, POST, POST, but it is ON_QA instead
  • expected dependent Bugzilla bug 1977920 to be in one of the following states: MODIFIED, ON_QA, VERIFIED, but it is POST instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@bparees
Copy link

bparees commented Jul 1, 2021

/bugzilla refresh

@openshift-ci
Copy link

openshift-ci bot commented Jul 1, 2021

@bparees: This pull request references Bugzilla bug 1977924, which is invalid:

  • expected the bug to be in one of the following states: NEW, ASSIGNED, ON_DEV, POST, POST, but it is MODIFIED instead
  • expected dependent Bugzilla bug 1977920 to be in one of the following states: MODIFIED, ON_QA, VERIFIED, but it is POST instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@bparees
Copy link

bparees commented Jul 1, 2021

/bugzilla refresh

@openshift-ci
Copy link

openshift-ci bot commented Jul 1, 2021

@bparees: This pull request references Bugzilla bug 1977924, which is invalid:

  • expected dependent Bugzilla bug 1977920 to be in one of the following states: MODIFIED, ON_QA, VERIFIED, but it is POST instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@mfojtik mfojtik added the staff-eng-approved Indicates a release branch PR has been approved by a staff engineer (formerly group/pillar lead). label Jul 1, 2021
@vikaslaad
Copy link

vikaslaad commented Jul 1, 2021

/retest

1 similar comment
@vikaslaad
Copy link

vikaslaad commented Jul 1, 2021

/retest

@openshift-bot
Copy link

openshift-bot commented Jul 1, 2021

/retest

Please review the full test history for this PR and help us cut down flakes.

@bparees bparees added bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. and removed bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. labels Jul 1, 2021
@sttts
Copy link

sttts commented Jul 1, 2021

/retest

unrelated

@vikaslaad
Copy link

vikaslaad commented Jul 1, 2021

/retest

@openshift-bot
Copy link

openshift-bot commented Jul 1, 2021

/retest

Please review the full test history for this PR and help us cut down flakes.

7 similar comments
@openshift-bot
Copy link

openshift-bot commented Jul 1, 2021

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

openshift-bot commented Jul 2, 2021

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

openshift-bot commented Jul 2, 2021

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

openshift-bot commented Jul 2, 2021

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

openshift-bot commented Jul 2, 2021

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

openshift-bot commented Jul 2, 2021

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

openshift-bot commented Jul 2, 2021

/retest

Please review the full test history for this PR and help us cut down flakes.

@marun
Copy link

marun commented Jul 2, 2021

/retitle Bug 1977924: [release-4.8] Ensure scc compatibility with BoundServiceAccountTokenVolume

@openshift-ci openshift-ci bot changed the title Bug 1977924: Ensure scc compatibility with BoundServiceAccountTokenVolume Bug 1977924: [release-4.8] Ensure scc compatibility with BoundServiceAccountTokenVolume Jul 2, 2021
@marun
Copy link

marun commented Jul 2, 2021

Test failure in e2e-gcp can be overridden. Test should be skipped (addressed by openshift/origin#26267).

Disruptive failure can also be overridden, should be optional (addressed by openshift/release#19909).

@openshift-bot
Copy link

openshift-bot commented Jul 2, 2021

/retest

Please review the full test history for this PR and help us cut down flakes.

6 similar comments
@openshift-bot
Copy link

openshift-bot commented Jul 2, 2021

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

openshift-bot commented Jul 2, 2021

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

openshift-bot commented Jul 2, 2021

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

openshift-bot commented Jul 2, 2021

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

openshift-bot commented Jul 2, 2021

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

openshift-bot commented Jul 2, 2021

/retest

Please review the full test history for this PR and help us cut down flakes.

@mfojtik
Copy link

mfojtik commented Jul 2, 2021

/override ci/prow/e2e-aws-disruptive
/override ci/prow/e2e-gcp

@mfojtik mfojtik merged commit 66b664d into openshift:release-4.8 Jul 2, 2021
@openshift-ci
Copy link

openshift-ci bot commented Jul 2, 2021

@mfojtik: Overrode contexts on behalf of mfojtik: ci/prow/e2e-aws-disruptive, ci/prow/e2e-gcp

Details

In response to this:

/override ci/prow/e2e-aws-disruptive
/override ci/prow/e2e-gcp

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci
Copy link

openshift-ci bot commented Jul 2, 2021

@stlaz: All pull requests linked via external trackers have merged:

Bugzilla bug 1977924 has been moved to the MODIFIED state.

Details

In response to this:

Bug 1977924: [release-4.8] Ensure scc compatibility with BoundServiceAccountTokenVolume

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marun marun Awaiting requested review from marun

@s-urbaniak s-urbaniak Awaiting requested review from s-urbaniak

@sttts sttts Awaiting requested review from sttts

Assignees

@sttts sttts

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/severity-urgent Referenced Bugzilla bug's severity is urgent for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. lgtm Indicates that a PR is ready to be merged. staff-eng-approved Indicates a release branch PR has been approved by a staff engineer (formerly group/pillar lead). vendor-update Touching vendor dir or related files

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@stlaz @openshift-ci-robot @sttts @bparees @vikaslaad @openshift-bot @marun @mfojtik