Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not set securityContext on Openshift < 4.11 #2678

Merged
merged 3 commits into from
Jul 31, 2023
Merged

Do not set securityContext on Openshift < 4.11 #2678

merged 3 commits into from
Jul 31, 2023

Conversation

pglass
Copy link
Contributor

@pglass pglass commented Jul 27, 2023
edited
Loading

Changes proposed in this PR:

  • This is going into release/1.1.x, and will be backported into release/1.0.x because both of those Consul K8s versions support K8s < 1.23.x and therefore support OpenShift <= 4.10
  • Do not set securityContext on OpenShift < 4.11 because the restricted SCC disallows setting some of those settings. I broke this in Support running with restricted PSA enforcement enabled (part 1) #2572. In OpenShift >= 4.11, setting the securityContext is okay because the new restricted-v2 SCC is available to all users/accounts and allows setting the fields we want to set, and doing so avoids warnings.
  • We determine the OpenShift version in Helm using the Kube version because there is a 1:1 mapping of OpenShift to Kube versions.

How I've tested this PR:

How I expect reviewers to test this PR:

👀

Checklist:

@pglass pglass requested review from curtbushko, missylbytes, a team, johnlanda and roncodingenthusiast and removed request for a team July 27, 2023 14:25
@pglass pglass mentioned this pull request Jul 27, 2023
Closed
2 tasks
pglass
pglass commented Jul 27, 2023
View reviewed changes
charts/consul/templates/_helpers.tpl
them we avoid PSA warnings that are enabled by default.

We use the K8s version as a proxy for the OpenShift version because there is a
1:1 mapping of versions. OpenShift 4.11 corresponds to K8s 1.24.x.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure of a better way to check for OpenShift version. As far as we know and based on their docs (requires login 😞 ), there's a 1:1 mapping between OpenShift and Kube versions so I think this should be okay.

OpenShift Version Kubernetes Version
4.9 1.22
4.10 1.23
4.11 1.24
4.12 1.25
4.13 1.26

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am also unsure how to unit test this (without actually installing different kubectl / kube versions)

Copy link
Contributor Author

@pglass pglass Jul 27, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, there is helm template --kube-version.

$ helm template -h | grep kube-version
      --kube-version string                        Kubernetes version used for Capabilities.KubeVersion

I'll add a unit test which uses --kube-version to validate this. edit: Done!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pglass added OpenShift versions here for future reference: hashicorp/consul#18307

@pglass pglass force-pushed the pglass/NET-185/fix-psa-openshift-11x branch from 7b95dd1 to eddc97e Compare July 27, 2023 15:34
curtbushko
curtbushko approved these changes Jul 31, 2023
View reviewed changes
Copy link
Contributor

@curtbushko curtbushko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:chefkiss: This is awesome!

Thank you for bats testing both sides of the versioning.. that was going to be the only thing I was concerned about.

@pglass pglass merged commit 8e39475 into release/1.1.x Jul 31, 2023
@pglass pglass deleted the pglass/NET-185/fix-psa-openshift-11x branch July 31, 2023 17:20
pglass pushed a commit that referenced this pull request Jul 31, 2023
Do not set securityContext on Openshift < 4.11 (#2678)
3606562
@pglass pglass mentioned this pull request Aug 1, 2023
Merged
pglass pushed a commit that referenced this pull request Aug 2, 2023
Backport of do not set securityContext on Openshift < 4.11 (#2678) (#…
4a9c2ef 
…2705)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@david-yu david-yu david-yu left review comments

@curtbushko curtbushko curtbushko approved these changes

@missylbytes missylbytes Awaiting requested review from missylbytes

@johnlanda johnlanda Awaiting requested review from johnlanda

@roncodingenthusiast roncodingenthusiast Awaiting requested review from roncodingenthusiast

Assignees
No one assigned
Labels
theme/openshift
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@pglass @curtbushko @david-yu @skpratt