Bug 1977924: [release-4.8] Ensure scc compatibility with BoundServiceAccountTokenVolume#842
Conversation
… publishing This commit should be squashed with: UPSTREAM: <carry>: Ensure service ca is mounted for projected tokens
|
@stlaz: This pull request references Bugzilla bug 1977920, which is invalid:
Comment DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@stlaz: the contents of this pull request could not be automatically validated. The following commits could not be validated and must be approved by a top-level approver:
|
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: stlaz, sttts The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@stlaz: This pull request references Bugzilla bug 1977924, which is invalid:
Comment DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/bugzilla refresh |
|
@sttts: This pull request references Bugzilla bug 1977924, which is invalid:
Comment DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/bugzilla refresh |
|
@bparees: This pull request references Bugzilla bug 1977924, which is invalid:
Comment DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/bugzilla refresh |
|
@bparees: This pull request references Bugzilla bug 1977924, which is invalid:
Comment DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/retest |
1 similar comment
|
/retest |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest unrelated |
|
/retest |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
7 similar comments
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retitle Bug 1977924: [release-4.8] Ensure scc compatibility with BoundServiceAccountTokenVolume |
|
Test failure in e2e-gcp can be overridden. Test should be skipped (addressed by openshift/origin#26267). Disruptive failure can also be overridden, should be optional (addressed by openshift/release#19909). |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
6 similar comments
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/override ci/prow/e2e-aws-disruptive |
|
@mfojtik: Overrode contexts on behalf of mfojtik: ci/prow/e2e-aws-disruptive, ci/prow/e2e-gcp DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@stlaz: All pull requests linked via external trackers have merged: Bugzilla bug 1977924 has been moved to the MODIFIED state. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Previous to the BoundServiceAccountTokenVolume feature being enabled, the automatic mounting of legacy token secrets required that an scc permit secret volume sources either implicitly (by allowing all volume sources) or explicitly (by specifying 'secret' in the set of allowed volumes).
To ensure compatibility with this permission scheme for the projected token volumes enabled by BoundServiceAccountTokenVolume, this commit ensures that the projected volumes of service account tokens will be permitted under the same criteria (i.e. secret volume sources are allowed by an scc).
/cc @sttts @s-urbaniak @marun