Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow users to set containers[*].securityContext.runAsGroup #12003

Merged
merged 3 commits into from
Sep 20, 2021
Merged

Allow users to set containers[*].securityContext.runAsGroup #12003

merged 3 commits into from
Sep 20, 2021

Conversation

dprotaso
Copy link
Member

@dprotaso dprotaso commented Sep 15, 2021
edited
Loading

Part of: #9067

Release Note

Allow users to set container[*].securityContext.runAsGroup

@google-cla google-cla bot added the cla: yes Indicates the PR's author has signed the CLA. label Sep 15, 2021
@knative-prow-robot knative-prow-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. area/API API objects and controllers approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Sep 15, 2021
@dprotaso dprotaso changed the title Allow users to set container[*].securityContext.runAsGroup Allow users to set containers[*].securityContext.runAsGroup Sep 15, 2021
@codecov
Copy link

codecov bot commented Sep 15, 2021
edited
Loading

Codecov Report

Merging #12003 (b5056b2) into main (76cb92b) will decrease coverage by 0.01%.
The diff coverage is 100.00%.

Impacted file tree graph

@@            Coverage Diff             @@
##             main   #12003      +/-   ##
==========================================
- Coverage   87.54%   87.53%   -0.02%     
==========================================
  Files         196      196              
  Lines        9506     9503       -3     
==========================================
- Hits         8322     8318       -4     
- Misses        912      913       +1     
  Partials      272      272
Impacted Files Coverage Δ
pkg/apis/serving/fieldmask.go 95.00% <100.00%> (-0.06%) ⬇️
pkg/autoscaler/statforwarder/forwarder.go 90.74% <0.00%> (-5.56%) ⬇️
pkg/autoscaler/statforwarder/processor.go 88.88% <0.00%> (-5.56%) ⬇️
pkg/activator/net/revision_backends.go 92.51% <0.00%> (ø)
pkg/autoscaler/statforwarder/leases.go 76.97% <0.00%> (+1.43%) ⬆️
pkg/reconciler/revision/reconcile_resources.go 83.13% <0.00%> (+2.40%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 76cb92b...b5056b2. Read the comment docs.

@dprotaso
Drop container details in the PodSecurityContext feature flag descrip…
83a973a 
…tion

Most of them you can set and we shouldn't advertise setting RunAsNonRoot=false
since it behaves the same when the field is not set
@dprotaso
drop flag checks for RunAsNonRoot since unset and false are equivalent
b5056b2
@dprotaso
Copy link
Member Author

/retest

@dprotaso
Copy link
Member Author

/assign @julz @markusthoemmes

psschwei
psschwei reviewed Sep 17, 2021
View reviewed changes
Copy link
Contributor

@psschwei psschwei left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but given that the discussion seems to still be open want to let others weigh in

markusthoemmes
markusthoemmes reviewed Sep 20, 2021
View reviewed changes
pkg/apis/serving/fieldmask.go
Comment on lines -613 to -615
if in.RunAsNonRoot != nil && *in.RunAsNonRoot {
out.RunAsNonRoot = in.RunAsNonRoot
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIRC we had some reason to only allow true through here. You sure that's not necessary?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a comment below regarding this

	// RunAsNonRoot when unset behaves the same way as false
 	// We do want the ability for folks to set this value to true

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we were worried that people may have defaulted runAsNonRoot to true, in which case allowing it to be false would be a security regression. I think the PSP doesn't allow you to default runAsNonRoot though (it just has a MustRunAsNonRoot setting instead) so this might be fine.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

.. in fact it's a straight boolean and not a pointer, so it can't really be defaulted any way other than false

julz
julz approved these changes Sep 20, 2021
View reviewed changes
Copy link
Member

@julz julz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/hold to check @markusthoemmes is OK with this too

@knative-prow-robot knative-prow-robot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. lgtm Indicates that a PR is ready to be merged. labels Sep 20, 2021
@knative-prow-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dprotaso, julz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@markusthoemmes
Copy link
Contributor

/unhold

me fine.

@knative-prow-robot knative-prow-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 20, 2021
@knative-prow-robot knative-prow-robot merged commit bf6ef00 into knative:main Sep 20, 2021
@dprotaso dprotaso deleted the security-context branch September 21, 2021 13:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@markusthoemmes markusthoemmes markusthoemmes left review comments

@psschwei psschwei psschwei left review comments

@julz julz julz approved these changes

Assignees

@julz julz

@markusthoemmes markusthoemmes

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/API API objects and controllers cla: yes Indicates the PR's author has signed the CLA. lgtm Indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@dprotaso @knative-prow-robot @markusthoemmes @julz @psschwei