Skip to content

[release-1.10] sync with upstream to include CVE patches #473

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Oct 12, 2023
Merged

[release-1.10] sync with upstream to include CVE patches #473

merged 9 commits into from
Oct 12, 2023

Conversation

@ReToCode
Copy link

@ReToCode ReToCode commented Oct 12, 2023

What this PR does / why we need it:

  • sync with upstream to include CVE patches
  • includes openshift/patches/010-secure-pod-defaults.patch from main branch

Which issue(s) this PR fixes:

JIRA: https://issues.redhat.com/browse/SRVKS-1159

knative-prow-robot and others added 8 commits May 9, 2023 02:27
@knative-prow-robot @dprotaso
Min TLS for tag to digest defaults to 1.2 again and is configurable (k…
fc055b1 
…native#13963)

quay.io only supports 1.2

Co-authored-by: dprotaso <[email protected]>
@knative-prow-robot @dprotaso
drop safe to evict annotations (knative#14051)
cdac06e 
this prevents nodes from draining

Co-authored-by: dprotaso <[email protected]>
@knative-prow-robot @dprotaso
[release-1.10] RandomChoice 2 policy wasn't random when the number of…
500756c 
… targets is 2 (with equal weight) (knative#14052)

* RandomChoice 2 policy wasn't random when the number of targets is 2

* fix linting

---------

Co-authored-by: dprotaso <[email protected]>
@knative-prow-robot @KauzClay @dprotaso
[release-1.10] fix securityContext for Knative Service Pod (user-cont…
60754c3 
…ainer and queue-proxy) (knative#14377)

* add seccompProfile to queue container security context

* run as non root by default

* update tests to expect new default run as nonroot

* fix perms

---------

Co-authored-by: Clay Kauzlaric <[email protected]>
Co-authored-by: Dave Protasowski <[email protected]>
@ReToCode
Leave a comment which will trigger a new dot release (knative#14501)
1c0fa5d
@nak3
[release-1.10] bump x/net to v0.17 (knative#14517)
bdc9865 
* [release-1.10] bump x/net to v0.17

* Re-generate test/config/tls/cert-secret.yaml (knative#14324)

* Run hack/upgrade
@ReToCode
Merge remote-tracking branch 'upstream/release-1.10' into upstream-sy…
96a05ac 
…nc-110
@ReToCode
Update secure-pod-defaults patch
7a128e2
@ReToCode ReToCode changed the title [release-1.11] sync with upstream to include CVE patches [release-1.10] sync with upstream to include CVE patches Oct 12, 2023
@openshift-ci openshift-ci bot requested review from mvinkler and nak3 October 12, 2023 08:39
@skonto
Copy link

skonto commented Oct 12, 2023
edited
Loading

We are not using the right S-O branch?

  Conditions:
    Last Transition Time:  2023-10-12T09:04:08Z
    Status:                True
    Type:                  DependenciesInstalled
    Last Transition Time:  2023-10-12T09:04:55Z
    Message:               Waiting on deployments: domain-mapping, domainmapping-webhook
    Reason:                NotReady
    Status:                False
    Type:                  DeploymentsAvailable
    Last Transition Time:  2023-10-12T09:04:08Z
    Status:                True
    Type:                  InstallSucceeded
    Last Transition Time:  2023-10-12T09:04:55Z
    Message:               Waiting on deployments: domain-mapping, domainmapping-webhook
    Reason:                NotReady
    Status:                False
    Type:                  Ready
    Last Transition Time:  2023-10-12T09:03:54Z
    Status:                True
    Type:                  VersionMigrationEligible

@skonto
Copy link

skonto commented Oct 12, 2023 

++ serverless_operator_version
++ [[ '' == \k\n\a\t\i\v\e\-\v\1\.\7 ]]
++ [[ '' == \k\n\a\t\i\v\e\-\v\1\.\8 ]]
++ [[ '' == \k\n\a\t\i\v\e\-\v\1\.\9 ]]
++ [[ '' == \k\n\a\t\i\v\e\-\v\1\.\1\0 ]]
++ [[ '' == \k\n\a\t\i\v\e\-\v\1\.\1\1 ]]
++ [[ '' == \k\n\a\t\i\v\e\-\v\1\.\1\2 ]]
++ [[ '' == \k\n\a\t\i\v\e\-\v\1\.\1\3 ]]
++ [[ '' == \k\n\a\t\i\v\e\-\v\1\.\1\4 ]]
++ [[ '' == \k\n\a\t\i\v\e\-\v\1\.\1\5 ]]
++ [[ '' == \k\n\a\t\i\v\e\-\v\1\.\1\6 ]]
++ [[ '' == \k\n\a\t\i\v\e\-\v\1\.\1\7 ]]
++ echo main
+ git clone -b main --depth 1 https://github.com/openshift-knative/serverless-operator.git /tmp/knative.rr36uVVp/tmp.LwQwMaws8P
Cloning into '/tmp/knative.rr36uVVp/tmp.LwQwMaws8P'...
+ pushd /tmp/knative.rr36uVVp/tmp.LwQwMaws8P

@skonto
Copy link

skonto commented Oct 12, 2023
edited
Loading

@ReToCode @nak3 should not we check against KNATIVE_SERVING_VERSION here: https://github.com/openshift-knative/serving/blob/main/openshift/e2e-common.sh#L94.
No var $branch is set.

@skonto skonto mentioned this pull request Oct 12, 2023
Closed
@skonto
Copy link

skonto commented Oct 12, 2023

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Oct 12, 2023
@openshift-ci
Copy link

openshift-ci bot commented Oct 12, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ReToCode, skonto

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot merged commit bfaa22c into openshift-knative:release-v1.10 Oct 12, 2023
@skonto skonto mentioned this pull request Oct 12, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mvinkler mvinkler Awaiting requested review from mvinkler

@nak3 nak3 Awaiting requested review from nak3

Assignees

@nak3 nak3

@skonto skonto

Labels

approved lgtm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ReToCode @skonto @nak3 @knative-prow-robot