Closed savitaashture closed 1 day ago
The following is the coverage report on the affected files.
Say /test pull-tekton-triggers-go-coverage
to re-run this coverage report
File | Old Coverage | New Coverage | Delta |
---|---|---|---|
pkg/apis/config/default.go | 88.9% | 94.1% | 5.2 |
The following is the coverage report on the affected files.
Say /test pull-tekton-triggers-go-coverage
to re-run this coverage report
File | Old Coverage | New Coverage | Delta |
---|---|---|---|
pkg/apis/config/default.go | 88.9% | 94.1% | 5.2 |
pkg/reconciler/eventlistener/resources/container.go | 100.0% | 93.1% | -6.9 |
pkg/reconciler/eventlistener/resources/custom.go | 94.1% | 93.3% | -0.8 |
pkg/reconciler/eventlistener/resources/deployment.go | 100.0% | 98.4% | -1.6 |
I think "0" shouldn't be allowed in both the vanilla k8s and OpenShift.
I think "0" shouldn't be allowed in both the vanilla k8s and OpenShift.
@khrm actually in doc and all it sayd 0
is valid and its a root
but i tried it on kind and see a below error
waiting:
message: 'container''s runAsUser breaks non-root policy (pod: "el-github-listener-5878566fb4-hqt5r_default(086e7204-f323-499c-90a2-4b7e0e277e2d)",
container: event-listener)'
reason: CreateContainerConfigError
It might be because we have
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsGroup: 0
runAsNonRoot: true
runAsUser: 0
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true and setting 0
:thinking:
Alright i did verify
runAsUser: 0 is failing because runAsNonRoot: true
but 0
is valid and we cannot stop users to provide those value
Do we allow setting runAsNonRoot as false? If yes, then it might be a valid value.
Do we allow setting runAsNonRoot as false? If yes, then it might be a valid value.
Yes make sense handled here https://github.com/tektoncd/triggers/pull/1747/commits/848ccb06b94069ef7eb181737ebc67568c1f8ceb
The following is the coverage report on the affected files.
Say /test pull-tekton-triggers-go-coverage
to re-run this coverage report
File | Old Coverage | New Coverage | Delta |
---|---|---|---|
pkg/apis/config/default.go | 88.9% | 91.7% | 2.8 |
pkg/reconciler/eventlistener/resources/container.go | 100.0% | 93.1% | -6.9 |
pkg/reconciler/eventlistener/resources/custom.go | 94.1% | 93.3% | -0.8 |
pkg/reconciler/eventlistener/resources/deployment.go | 100.0% | 98.4% | -1.6 |
/test
@dibyom PR is ready to review PTAL thank you
@savitaashture: The /test
command needs one or more targets.
The following commands are available to trigger required jobs:
/test pull-tekton-triggers-build-tests
/test pull-tekton-triggers-integration-tests
/test tekton-triggers-unit-tests
The following commands are available to trigger optional jobs:
/test pull-tekton-triggers-go-coverage
Use /test all
to run all jobs.
The following is the coverage report on the affected files.
Say /test pull-tekton-triggers-go-coverage
to re-run this coverage report
File | Old Coverage | New Coverage | Delta |
---|---|---|---|
pkg/apis/config/default.go | 88.9% | 88.2% | -0.7 |
The following is the coverage report on the affected files.
Say /test pull-tekton-triggers-go-coverage
to re-run this coverage report
File | Old Coverage | New Coverage | Delta |
---|---|---|---|
pkg/apis/config/default.go | 88.9% | 88.2% | -0.7 |
The following is the coverage report on the affected files.
Say /test pull-tekton-triggers-go-coverage
to re-run this coverage report
File | Old Coverage | New Coverage | Delta |
---|---|---|---|
pkg/apis/config/default.go | 88.9% | 88.2% | -0.7 |
/test tekton-triggers-unit-tests
/test tekton-triggers-unit-tests
Let's rebase these. @savitaashture We can merge the PR then.
@khrm Done Its ready now
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: khrm
The full list of commands accepted by this bot can be found here.
The pull request process is described here
/lgtm
Changes
As part of https://github.com/tektoncd/triggers/pull/1747/commits/48f257d9cc8539c9e05ad51536f403d43c43c96e and https://github.com/tektoncd/triggers/pull/1747/commits/add787c2d667ae8222d73d6a3257b7c703a49fed
default-run-as-user
anddefault-run-as-group
is empty ("") then don't set container SCC for runAsUser and runAsGroup because users on platform like OpenShift generally don't set these values and it will be set with default So added check to handle the sameAs part of https://github.com/tektoncd/triggers/pull/1747/commits/848ccb06b94069ef7eb181737ebc67568c1f8ceb
Added new field default-run-as-non-root to
config-defaults-triggers
configmap so that RunAsNonRoot can be now configured through CMReason for configuring runAsNonRoot through cm
0
which is valid value but because ofrunAsNonRoot: true
getting below error0
basically this can be the combinationSubmitter Checklist
As the author of this PR, please check off the items in this checklist:
/kind <type>
. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tepRelease Notes