Bug 2086519: AUTH-133: test/extended/security/scc: comply to pod security admission #27269
Conversation
stlaz
force-pushed
the
sur_tests_restricted
branch
from
0e7b91a
to
6094348
Compare
openshift-ci
bot
added
bugzilla/severity-urgent
|
@stlaz: This pull request references Bugzilla bug 2086519, which is valid. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Bugzilla (ytripath@redhat.com), skipping review request. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
| @@ -27,7 +29,7 @@ var _ = g.Describe("[sig-builds][Feature:Builds] prune builds based on settings | |||
| failedBuildConfig = filepath.Join(buildPruningBaseDir, "failed-build-config.yaml") | |||
| erroredBuildConfig = filepath.Join(buildPruningBaseDir, "errored-build-config.yaml") | |||
| groupBuildConfig = filepath.Join(buildPruningBaseDir, "default-group-build-config.yaml") | |||
| oc = exutil.NewCLI("build-pruning") | |||
| oc = exutil.NewCLIWithPodSecurityLevel("build-pruning", admissionapi.LevelBaseline) | |||
There was a problem hiding this comment.
In general, I am wondering if we need to expose the complexity of PodSecurityLevel to everyone. Maybe we could add admissionapi.LevelBaseline to every exutil.NewCLI by default and only set exutil.NewCLIWithPodSecurityLevel in the case of admissionapi.LevelRestricted or admissionapi.LevelPrivileged.
There was a problem hiding this comment.
The default is there already, and this PR moves it to "restricted". We specifically want this to be the most restricted mode so that anyone raising it is aware that raised privileges are necessary.
Here, I am just being explicit with changing the previous value, I think it might be better to explicitly state the intent in case the defaults ever change.
There was a problem hiding this comment.
The default must be the most secure one (restricted). only once your e2e workload needs broader permissions you have to make a conscious choice (baseline or restricted). This behaviour also aligns with upstream.
|
/lgtm |
stlaz
force-pushed
the
sur_tests_restricted
branch
from
6094348
to
2a975df
Compare
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ibihim, soltysh, stlaz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/retest-required |
|
@stlaz: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
@stlaz: All pull requests linked via external trackers have merged:
Bugzilla bug 2086519 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Obsoletes #27154
/assign @ibihim