search

openshift / machine-config-operator

Apache License 2.0
244 stars 396 forks source link

OCPBUGS-36175: Remove privileged flag from on-prem containers #4443

Open cybertron opened 3 weeks ago

cybertron commented 3 weeks ago

It turns out we don't need this in some cases and in others we can get by with specific capabilities instead of a fully privileged container. This is more secure because it means even a compromised container won't have as much ability to cause trouble.

- What I did

- How to verify it

- Description for the changelog

openshift-ci-robot commented 3 weeks ago

@cybertron: This pull request references Jira Issue OCPBUGS-36175, which is invalid:

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to [this](https://github.com/openshift/machine-config-operator/pull/4443): >It turns out we don't need this in some cases and in others we can get by with specific capabilities instead of a fully privileged container. This is more secure because it means even a compromised container won't have as much ability to cause trouble. > > > >**- What I did** > >**- How to verify it** > >**- Description for the changelog** > > Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fmachine-config-operator). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
cybertron commented 3 weeks ago

/jira refresh

openshift-ci-robot commented 3 weeks ago

@cybertron: This pull request references Jira Issue OCPBUGS-36175, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug * bug is open, matching expected state (open) * bug target version (4.17.0) matches configured target version for branch (4.17.0) * bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact: /cc @zhaozhanqi

In response to [this](https://github.com/openshift/machine-config-operator/pull/4443#issuecomment-2195156522): >/jira refresh Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Fmachine-config-operator). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
cybertron commented 3 weeks ago

/test e2e-metal-ipi-ovn-ipv6 /test e2e-metal-ipi-ovn-dualstack

cybertron commented 3 weeks ago

/retest-required

None of these templates are used in hypershift so this can't have broken it.

mkowalski commented 1 week ago

/lgtm

cybertron commented 1 week ago

/assign @yuqi-zhang /assign @sinnykumari

cybertron commented 1 week ago

Yes, you're right, we should drop it from those as well. New revision coming shortly.

openshift-ci[bot] commented 1 week ago

New changes are detected. LGTM label has been removed.

openshift-ci[bot] commented 1 week ago

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: cybertron, mkowalski Once this PR has been reviewed and has the lgtm label, please ask for approval from sinnykumari. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files: - **[OWNERS](https://github.com/openshift/machine-config-operator/blob/master/OWNERS)** Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment
cybertron commented 5 days ago

/retest-required

openshift-ci[bot] commented 5 days ago

@cybertron: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-vsphere-ovn-zones 9542711f993cd01403544d1b082cebb6b453de70 link false /test e2e-vsphere-ovn-zones
ci/prow/e2e-vsphere-ovn-upi 9542711f993cd01403544d1b082cebb6b453de70 link false /test e2e-vsphere-ovn-upi
ci/prow/e2e-vsphere-ovn-upi-zones 9542711f993cd01403544d1b082cebb6b453de70 link false /test e2e-vsphere-ovn-upi-zones
ci/prow/e2e-aws-ovn-upgrade 9542711f993cd01403544d1b082cebb6b453de70 link true /test e2e-aws-ovn-upgrade

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository. I understand the commands that are listed [here](https://go.k8s.io/bot-commands).