[release-1.11] fix securityContext for Knative Service Pod (user-container and queue-proxy) #14378

knative-prow-robot · 2023-09-14T14:25:37Z

This is an automated cherry-pick of #14363

Fix secure 'secure-pod-defaults' to work with restricted namespaces

codecov · 2023-09-14T14:32:25Z

Codecov Report

Patch coverage: 100.00% and project coverage change: -0.05% ⚠️

Comparison is base (f1617ef) 86.27% compared to head (5bfa412) 86.22%.

Additional details and impacted files

@@               Coverage Diff                @@
##           release-1.11   #14378      +/-   ##
================================================
- Coverage         86.27%   86.22%   -0.05%     
================================================
  Files               199      199              
  Lines             14811    14814       +3     
================================================
- Hits              12778    12774       -4     
- Misses             1732     1737       +5     
- Partials            301      303       +2

Files Changed	Coverage Δ
pkg/reconciler/revision/resources/queue.go	`98.42% <ø> (ø)`
pkg/apis/serving/v1/revision_defaults.go	`97.48% <100.00%> (+0.04%)`	⬆️

... and 4 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

dprotaso · 2023-09-14T15:10:41Z

/retest
/lgtm
/approve

knative-prow · 2023-09-14T15:10:49Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dprotaso, knative-prow-robot

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [dprotaso]
~~pkg/apis/OWNERS~~ [dprotaso]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

dprotaso · 2023-09-14T16:14:03Z

/retest

dprotaso · 2023-09-14T18:31:42Z

/override "test (v1.26.x, kourier-tls, e2e)"

knative-prow · 2023-09-14T18:31:46Z

@dprotaso: Overrode contexts on behalf of dprotaso: test (v1.26.x, kourier-tls, e2e)

In response to this:

/override "test (v1.26.x, kourier-tls, e2e)"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

dprotaso · 2023-09-14T19:53:17Z

/override "test (v1.25.x, kourier-tls, e2e)"

knative-prow · 2023-09-14T19:53:20Z

@dprotaso: Overrode contexts on behalf of dprotaso: test (v1.25.x, kourier-tls, e2e)

In response to this:

/override "test (v1.25.x, kourier-tls, e2e)"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

dprotaso · 2023-09-14T20:02:19Z

/override "test (v1.27.x, kourier-tls, e2e)"

knative-prow · 2023-09-14T20:02:22Z

@dprotaso: Overrode contexts on behalf of dprotaso: test (v1.27.x, kourier-tls, e2e)

In response to this:

/override "test (v1.27.x, kourier-tls, e2e)"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

* [release-1.11] fix securityContext for Knative Service Pod (user-container and queue-proxy) (knative#14378) * add seccompProfile to queue container security context * run as non root by default * update tests to expect new default run as nonroot --------- Co-authored-by: Clay Kauzlaric <ckauzlaric@vmware.com> * Leave a comment which will trigger a new dot release (knative#14500) * [release-1.11] bump x/net to v0.17 (knative#14516) * [release-1.11] bump x/net to v1.17 * Re-generate test/config/tls/cert-secret.yaml (knative#14324) * Run hack/update-codegen.sh --upgrade --release 1.11 * Update secure-pod-defaults patch --------- Co-authored-by: Knative Prow Robot <automation+prow-robot@knative.team> Co-authored-by: Clay Kauzlaric <ckauzlaric@vmware.com> Co-authored-by: Kenjiro Nakayama <nakayamakenjiro@gmail.com>

* [release-1.11] fix securityContext for Knative Service Pod (user-container and queue-proxy) (knative#14378) * add seccompProfile to queue container security context * run as non root by default * update tests to expect new default run as nonroot --------- Co-authored-by: Clay Kauzlaric <ckauzlaric@vmware.com> * Leave a comment which will trigger a new dot release (knative#14500) * [release-1.11] bump x/net to v0.17 (knative#14516) * [release-1.11] bump x/net to v1.17 * Re-generate test/config/tls/cert-secret.yaml (knative#14324) * Run hack/update-codegen.sh --upgrade --release 1.11 * Bound buffer for reading stats (knative#14542) Co-authored-by: Evan Anderson <evan.k.anderson@gmail.com> --------- Co-authored-by: Knative Prow Robot <automation+prow-robot@knative.team> Co-authored-by: Clay Kauzlaric <ckauzlaric@vmware.com> Co-authored-by: Kenjiro Nakayama <nakayamakenjiro@gmail.com> Co-authored-by: Evan Anderson <evan.k.anderson@gmail.com>

* [release-1.11] fix securityContext for Knative Service Pod (user-container and queue-proxy) (knative#14378) * add seccompProfile to queue container security context * run as non root by default * update tests to expect new default run as nonroot --------- Co-authored-by: Clay Kauzlaric <ckauzlaric@vmware.com> * Leave a comment which will trigger a new dot release (knative#14500) * [release-1.11] bump x/net to v0.17 (knative#14516) * [release-1.11] bump x/net to v1.17 * Re-generate test/config/tls/cert-secret.yaml (knative#14324) * Run hack/update-codegen.sh --upgrade --release 1.11 * Bound buffer for reading stats (knative#14542) Co-authored-by: Evan Anderson <evan.k.anderson@gmail.com> * upgrade to latest dependencies (knative#14552) bumping knative.dev/pkg bd99f2f...56bfe0d: > 56bfe0d [release-1.11] [CVE-2023-44487] Disable http2 for webhooks (# 2875) bumping knative.dev/caching 24ff723...ee89f75: > ee89f75 upgrade to latest dependencies (# 797) Signed-off-by: Knative Automation <automation@knative.team> * Upgrade grpc for addressing GHSA-m425-mq94-257g (knative#14579) More info at GHSA-m425-mq94-257g * remove duplicate 'additionalPrinterColumns' (knative#14654) Signed-off-by: Kenny Leung <kleung@chainguard.dev> Co-authored-by: Kenny Leung <kleung@chainguard.dev> * [release-1.11] Bump to fix knative#14732 (knative#14734) * Bump to fix knative#14732 * Bump to fix serving/knative#14732 * Sync with upstream release-1.11 --------- Signed-off-by: Knative Automation <automation@knative.team> Signed-off-by: Kenny Leung <kleung@chainguard.dev> Co-authored-by: Knative Prow Robot <automation+prow-robot@knative.team> Co-authored-by: Clay Kauzlaric <ckauzlaric@vmware.com> Co-authored-by: Kenjiro Nakayama <nakayamakenjiro@gmail.com> Co-authored-by: Evan Anderson <evan.k.anderson@gmail.com> Co-authored-by: Knative Automation <automation@knative.team> Co-authored-by: Juan Sanin <jsanin@vmware.com> Co-authored-by: Kenny Leung <kleung@chainguard.dev> Co-authored-by: Dave Protasowski <dprotaso@gmail.com>

KauzClay added 3 commits September 14, 2023 14:25

add seccompProfile to queue container security context

9e6d958

run as non root by default

96ea93b

update tests to expect new default run as nonroot

5bfa412

knative-prow-robot mentioned this pull request Sep 14, 2023

fix securityContext for Knative Service Pod (user-container and queue-proxy) #14363

Merged

knative-prow bot requested a review from krsna-m September 14, 2023 14:25

knative-prow bot added the area/API API objects and controllers label Sep 14, 2023

knative-prow bot requested a review from psschwei September 14, 2023 14:25

knative-prow bot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Sep 14, 2023

knative-prow bot assigned dprotaso Sep 14, 2023

knative-prow bot added the lgtm Indicates that a PR is ready to be merged. label Sep 14, 2023

knative-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 14, 2023

knative-prow bot merged commit f60eb32 into knative:release-1.11 Sep 14, 2023
54 of 57 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[release-1.11] fix securityContext for Knative Service Pod (user-container and queue-proxy) #14378

[release-1.11] fix securityContext for Knative Service Pod (user-container and queue-proxy) #14378

knative-prow-robot commented Sep 14, 2023 •

edited by dprotaso

Loading

codecov bot commented Sep 14, 2023 •

edited

Loading

dprotaso commented Sep 14, 2023

knative-prow bot commented Sep 14, 2023

dprotaso commented Sep 14, 2023

dprotaso commented Sep 14, 2023

knative-prow bot commented Sep 14, 2023

dprotaso commented Sep 14, 2023

knative-prow bot commented Sep 14, 2023

dprotaso commented Sep 14, 2023

knative-prow bot commented Sep 14, 2023

[release-1.11] fix securityContext for Knative Service Pod (user-container and queue-proxy) #14378

[release-1.11] fix securityContext for Knative Service Pod (user-container and queue-proxy) #14378

Conversation

knative-prow-robot commented Sep 14, 2023 • edited by dprotaso Loading

codecov bot commented Sep 14, 2023 • edited Loading

Codecov Report

dprotaso commented Sep 14, 2023

knative-prow bot commented Sep 14, 2023

dprotaso commented Sep 14, 2023

dprotaso commented Sep 14, 2023

knative-prow bot commented Sep 14, 2023

dprotaso commented Sep 14, 2023

knative-prow bot commented Sep 14, 2023

dprotaso commented Sep 14, 2023

knative-prow bot commented Sep 14, 2023

knative-prow-robot commented Sep 14, 2023 •

edited by dprotaso

Loading

codecov bot commented Sep 14, 2023 •

edited

Loading