Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kube: honor pod security context IDs #14167

Merged
merged 2 commits into from
May 10, 2022
Merged

kube: honor pod security context IDs #14167

merged 2 commits into from
May 10, 2022

Conversation

giuseppe
Copy link
Member

@giuseppe giuseppe commented May 9, 2022

If the RunAsUser, RunAsGroup, SupplementalGroups settings are not overriden in the container security context, then take the value from the pod security context.

Signed-off-by: Giuseppe Scrivano gscrivan@redhat.com

Does this PR introduce a user-facing change?

The RunAsUser, RunAsGroup, SupplementalGroups settings from the pod security context are honored.

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 9, 2022
rhatdan
rhatdan reviewed May 9, 2022
View reviewed changes
pkg/domain/infra/abi/play.go Outdated
LogDriver: options.LogDriver,
LogOptions: options.LogOptions,
Labels: labels,
PodSecurityContext: podYAML.Spec.SecurityContext,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sort please.

@rhatdan
Copy link
Member

rhatdan commented May 9, 2022

LGTM other then a couple of sort requests.
@cdoern @umohnani8 @vrothberg PTAL

@giuseppe giuseppe force-pushed the play-kube-honor-pod-security-context branch from 4bbe511 to 36fb52a Compare May 10, 2022 07:09
@giuseppe
kube: refactor setupSecurityContext to accept directly the security ctx
82a4b8f 
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe
kube: honor pod security context IDs
9e1ee08 
If the RunAsUser, RunAsGroup, SupplementalGroups settings are not
overriden in the container security context, then take the value from
the pod security context.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe giuseppe force-pushed the play-kube-honor-pod-security-context branch from 36fb52a to 9e1ee08 Compare May 10, 2022 07:09
vrothberg
vrothberg approved these changes May 10, 2022
View reviewed changes
Copy link
Member

@vrothberg vrothberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label May 10, 2022
@openshift-ci
Copy link
Contributor

openshift-ci bot commented May 10, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: giuseppe, vrothberg

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@vrothberg
Copy link
Member

/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 10, 2022
@rhatdan
Copy link
Member

rhatdan commented May 10, 2022

/hold cancel

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 10, 2022
@openshift-merge-robot openshift-merge-robot merged commit 23826c5 into containers:main May 10, 2022
@edsantiago edsantiago mentioned this pull request May 10, 2022
Closed
@edsantiago edsantiago mentioned this pull request Jun 2, 2022
Closed
@fwiesel fwiesel mentioned this pull request Jun 29, 2023
Merged
fwiesel added a commit to fwiesel/podman that referenced this pull request Jun 29, 2023
@fwiesel
[CI:DOCS] Document support of pod security context IDs
0d7da5c 
With PR containers#14167, the pod-level security Context ID are supported, while the markdown says it isn't.
This patch fixes it.

```
None
```

Signed-off-by: Fabian Wiesel <fwiesel@users.noreply.github.com>
ashley-cui pushed a commit to ashley-cui/podman that referenced this pull request Jul 13, 2023
@fwiesel @ashley-cui
[CI:DOCS] Document support of pod security context IDs
cf5c4c9 
With PR containers#14167, the pod-level security Context ID are supported, while the markdown says it isn't.
This patch fixes it.

```
None
```

Signed-off-by: Fabian Wiesel <fwiesel@users.noreply.github.com>
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 21, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@rhatdan rhatdan rhatdan left review comments

@vrothberg vrothberg vrothberg approved these changes

Assignees

@vrothberg vrothberg

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@giuseppe @rhatdan @vrothberg @openshift-merge-robot