search

openyurtio / yurt-app-manager

The workload controller manager from NodePool level in OpenYurt cluster
Apache License 2.0
6 stars 1 forks source link

Initialize capabilities to support enabling containers[*].securityContext.privileged for UnitedDeployment #26

Closed wawlian closed 2 years ago

wawlian commented 3 years ago

What type of PR is this?

/kind feature

What this PR does / why we need it:

Currently, enabling containers[*].securityContext.privileged of UnitedDeployment is forbidden even when --allow-privileged is enabled in kube apiserver. For example, applying the yaml below will get a "disallowed by cluster policy" complain by admission webhook vuniteddeployment.kb.io.

apiVersion: apps.openyurt.io/v1alpha1
kind: UnitedDeployment
metadata:
  name: test-privileged
spec:
  selector:
    matchLabels:
      app: test-privileged
  workloadTemplate:
    deploymentTemplate:
      metadata:
        labels:
          app: test-privileged
      spec:
        template:
          metadata:
            labels:
              app: test-privileged
          spec:
            containers:
            - name: test-privileged
              image: wawlian/prom-demo:0.1
              imagePullPolicy: Always
              command: ["/usr/bin/prom-demo"]
              securityContext:
                capabilities:
                  add: ["CAP_SYS_ADMIN", "CAP_SYS_RAWIO", "CAP_SYS_MODULE", "CAP_SYS_RESOURCE", "CAP_AUDIT_CONTROL", "CAP_NET_ADMIN"]
                privileged: true
            imagePullSecrets:
              - name: regsecret
  topology:
    pools:
    - name: zone1
      nodeSelectorTerm:
        matchExpressions:
        - key: apps.openyurt.io/nodepool
          operator: In
          values:
          - np001
      replicas: 1

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?

NONE

other Note

openyurt-bot commented 3 years ago

@wawlian: GitHub didn't allow me to assign the following users: your_reviewer.

Note that only openyurtio members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time. For more information please see the contributor guide

In response to [this](https://github.com/openyurtio/yurt-app-manager/pull/26): >#### What type of PR is this? > /kind feature > >#### What this PR does / why we need it: > >Currently, enabling `containers[*].securityContext.privileged` of `UnitedDeployment` is forbidden even when `--allow-privileged` > is enabled in kube apiserver. For example, applying the yaml below will get a "`disallowed by cluster policy`" complain by admission webhook `vuniteddeployment.kb.io`. > > > >``` >apiVersion: apps.openyurt.io/v1alpha1 >kind: UnitedDeployment >metadata: > name: test-privileged >spec: > selector: > matchLabels: > app: test-privileged > workloadTemplate: > deploymentTemplate: > metadata: > labels: > app: test-privileged > spec: > template: > metadata: > labels: > app: test-privileged > spec: > containers: > - name: test-privileged > image: wawlian/prom-demo:0.1 > imagePullPolicy: Always > command: ["/usr/bin/prom-demo"] > securityContext: > capabilities: > add: ["CAP_SYS_ADMIN", "CAP_SYS_RAWIO", "CAP_SYS_MODULE", "CAP_SYS_RESOURCE", "CAP_AUDIT_CONTROL", "CAP_NET_ADMIN"] > privileged: true > imagePullSecrets: > - name: regsecret > topology: > pools: > - name: zone1 > nodeSelectorTerm: > matchExpressions: > - key: apps.openyurt.io/nodepool > operator: In > values: > - np001 > replicas: 1 >``` > >#### Which issue(s) this PR fixes: > >Fixes # > >#### Special notes for your reviewer: > > > >#### Does this PR introduce a user-facing change? >```release-note >NONE >``` > >#### other Note > Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
openyurt-bot commented 3 years ago

Welcome @wawlian! It looks like this is your first PR to openyurtio/yurt-app-manager 🎉

wawlian commented 3 years ago

/assign @huangyuqi

kadisi commented 2 years ago

/lgtm /approve

openyurt-bot commented 2 years ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kadisi, wawlian

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/openyurtio/yurt-app-manager/blob/master/OWNERS)~~ [kadisi] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment
kadisi commented 2 years ago

/lgtm

kadisi commented 2 years ago

/lgtm