openshift / apiserver-library-go Goto Github PK
View Code? Open in Web Editor NEWk/k dependent helpers for kube-apiserver and openshift-apiserver
License: Apache License 2.0
apiserver-library-go's People
Contributors
![openshift-ci[bot] avatar](https://avatars.githubusercontent.com/in/91280?v=4 "openshift-ci[bot]")
![openshift-merge-bot[bot] avatar](https://avatars.githubusercontent.com/in/412865?v=4 "openshift-merge-bot[bot]")
Stargazers
Watchers
Forkers
deads2k sallyom soltysh mfojtik p0lyn0mial sttts tnozicka stlaz openshift-cherrypick-robot tkashem sanchezl vareti marun luksa damemi dmage global-localhost global19 global19-atlassian-net haircommander huffmanca isabella232 cynepco3hahue atiratree s-urbaniak ravisantoshgudimetla neisw kikisdeliveryservice alebedev87 acornett21 alainlompo benluddy davidlanouette uccps-samples akalenyu andreaskaris bertinatto jwendell liouk coreycook8 vrutkovs sairameshv barakmor1 dinhxuanvu sohankunkerkarapiserver-library-go's Issues
Add a Getter for `standardSCCNames`
Add a way for dependent projects to get a list of the standard/default SCC's so these projects do not need to maintain their own lists. Please see this link
Future Release Branches Frozen For Merging | branch:release-4.18 branch:release-4.19
The following branches are being fast-forwarded from the current development branch (master) as placeholders for future releases. No merging is allowed into these release branches until they are unfrozen for production release.
release-4.18release-4.19
For more information, see the branching documentation.
Can only specify one valid set of seLinuxOptions per SCC
Ideally I would like to be able to specify multiple valid sets to match against. Right now I need duplicate SCCs for each type I want to allow.
If I for example want to allow both container_t and spc_t I need to have two policies bound to my SA with everything except seLinuxContext duplicated.
Future Release Branches Frozen For Merging | branch:release-4.5 branch:release-4.4
The following branches are being fast-forwarded from the current development branch (master) as placeholders for future releases. No merging is allowed into these release branches until they are unfrozen for production release.
release-4.5release-4.4
Contact the Test Platform or Automated Release teams for more information.
SCC errors regarding seccomp are missing provider name
As you can see in the following snippet (@@@ prefixed line), the seccomp errors look like they occur in the context of the hostmount-anyuid provider,
but they are actually not - they occur in the consideration of an scc called "kubevirt-controller" (which made this tricky to debug)
E1109 09:04:41.472725 1 util.go:72] pods "virt-export-vme-test-cvrbnzr8k7ts" is forbidden: unable to validate against any security context constraint:
[
provider "containerized-data-importer": Forbidden: not usable by user or serviceaccount
provider "anyuid": Forbidden: not usable by user or serviceaccount,
provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{107}: 107 is not an allowed group,
provider "restricted": Forbidden: not usable by user or serviceaccount,
provider "nonroot-v2": Forbidden: not usable by user or serviceaccount,
provider "nonroot": Forbidden: not usable by user or serviceaccount,
@@@provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, pod.metadata.annotations[seccomp.security.alpha.kubernetes.io/pod]: Forbidden: seccomp may not be set, pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/vme-test-cvrbnzr8k7ts]: Forbidden: seccomp may not be set,
provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount,
provider "bridge-marker": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork": Forbidden: not usable by user or serviceaccount,
provider "hostaccess": Forbidden: not usable by user or serviceaccount,
provider "hostpath-provisioner-csi": Forbidden: not usable by user or serviceaccount,
provider "linux-bridge": Forbidden: not usable by user or serviceaccount,
provider "kubevirt-handler": Forbidden: not usable by user or serviceaccount,
provider "rook-ceph": Forbidden: not usable by user or serviceaccount,
provider "node-exporter": Forbidden: not usable by user or serviceaccount,
provider "rook-ceph-csi": Forbidden: not usable by user or serviceaccount,
provider "privileged": Forbidden: not usable by user or serviceaccount
]Note: I added the newlines, original output is
E1109 09:04:41.472725 1 util.go:72] pods "virt-export-vme-test-cvrbnzr8k7ts" is forbidden: unable to validate against any security context constraint: [provider "containerized-data-importer": Forbidden: not usable by user or serviceaccount, provider "anyuid": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{107}: 107 is not an allowed group, provider "restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, pod.metadata.annotations[seccomp.security.alpha.kubernetes.io/pod]: Forbidden: seccomp may not be set, pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/vme-test-cvrbnzr8k7ts]: Forbidden: seccomp may not be set, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "bridge-marker": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "hostpath-provisioner-csi": Forbidden: not usable by user or serviceaccount, provider "linux-bridge": Forbidden: not usable by user or serviceaccount, provider "kubevirt-handler": Forbidden: not usable by user or serviceaccount, provider "rook-ceph": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "rook-ceph-csi": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]May be worth making this a bit nicer with newlines?
SCC: Cannot specify partial seLinuxOptions
I'm running GitLab Runner on OpenShift and GitLab runner only allows me to specify type of seLinuxOptions, the rest of the values are unspecified.
This requires me to use an SCC with RunAsAny for seLinuxContext since the logic for validating it matches on all fields.
If I don't specify a field in the SCC it seems to validate against a default value, however the value from the pod is not replaced by a default if missing/empty which means my pod is rejected.
Example SCC:
kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
name: gitlab-runner-jobs
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
runAsUser:
type: RunAsAny
seLinuxContext:
type: MustRunAs
seLinuxOptions:
type: spc_t
fsGroup:
type: RunAsAny
supplementalGroups:
type: RunAsAny
allowedCapabilities:
- SYS_CHROOT
- SETUID
- SETGID
- SETFCAP
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
readOnlyRootFilesystem: false
users:
- "system:serviceaccount:gitlab-runner-jobs:gitlab-runner-jobs"
This rejects a pod with
securityContext:
seLinuxOptions:
type: spc_tRecommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.