Skip to content

Implement set-security-context feature for affinity assistant containers #8182

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 18, 2024
Merged

Implement set-security-context feature for affinity assistant containers #8182

merged 1 commit into from
Sep 18, 2024

Conversation

@kristofferchr
Copy link
Contributor

@kristofferchr kristofferchr commented Aug 6, 2024
edited
Loading

Solves #8181

Needed for this issue: #8183

Changes

Added container securityContext for affinity assistant when feature flag set-security-context is set to true.
Implemented for both windows and linux OS. )

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

  • Has Docs if any changes are user facing, including updates to minimum requirements e.g. Kubernetes version bumps
  • Has Tests included if any functionality added or changed
  • pre-commit Passed
  • Follows the commit message standard
  • Meets the Tekton contributor standards (including functionality, content, code)
  • Has a kind label. You can add one by adding a comment on this PR that contains /kind <type>. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tep
  • Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings). See some examples of good release notes.
  • Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

Affinity Assistant containers will now have a securityContext when feature flag `set-security-context` is enabled in ConfigMap `feature-flags`.

@tekton-robot tekton-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Aug 6, 2024
@tekton-robot
Copy link
Collaborator

Hi @kristofferchr. Thanks for your PR.

I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@kristofferchr
Copy link
Contributor Author

/kind feature

@tekton-robot tekton-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Aug 6, 2024
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/pipelinerun/affinity_assistant.go 96.9% 97.0% 0.1

@kristofferchr kristofferchr force-pushed the 5-set-container-level-securitycontext-for-affinity-assistant branch from d78fc27 to 8c3d09f Compare August 6, 2024 10:41
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/pipelinerun/affinity_assistant.go 96.9% 97.0% 0.1

vdemeester
vdemeester approved these changes Aug 6, 2024
View reviewed changes
@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 6, 2024
@kristofferchr kristofferchr force-pushed the 5-set-container-level-securitycontext-for-affinity-assistant branch from 8c3d09f to d7d9791 Compare August 7, 2024 07:27
@kristofferchr
Copy link
Contributor Author

@vdemeester is this /ok-to-test ?

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/pipelinerun/affinity_assistant.go 96.9% 97.0% 0.1

@kristofferchr kristofferchr mentioned this pull request Aug 7, 2024
Merged
8 tasks
@chitrangpatel
Copy link
Contributor

/ok-to-test

@tekton-robot tekton-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Aug 7, 2024
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/pipelinerun/affinity_assistant.go 96.9% 97.0% 0.1

@vdemeester
Copy link
Member

/retest

@chitrangpatel
Copy link
Contributor

/lgtm

@tekton-robot tekton-robot added lgtm Indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Aug 22, 2024
@kristofferchr kristofferchr force-pushed the 5-set-container-level-securitycontext-for-affinity-assistant branch from d7d9791 to 1c07e21 Compare August 22, 2024 20:21
@tekton-robot tekton-robot removed lgtm Indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Aug 22, 2024
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/pipelinerun/affinity_assistant.go 96.9% 97.0% 0.1

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/pipelinerun/affinity_assistant.go 96.9% 97.0% 0.1

@kristofferchr
Copy link
Contributor Author

@chitrangpatel this needs a new lgtm, had to rebase.

vdemeester
vdemeester approved these changes Aug 29, 2024
View reviewed changes
Copy link
Member

@vdemeester vdemeester left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Aug 29, 2024
@tekton-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: vdemeester

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kristofferchr kristofferchr force-pushed the 5-set-container-level-securitycontext-for-affinity-assistant branch from 1c07e21 to 2f787ae Compare August 30, 2024 09:34
@tekton-robot tekton-robot removed the lgtm Indicates that a PR is ready to be merged. label Aug 30, 2024
@kristofferchr
Implement set-security-context feature for affinity assistant containers
3173496 
Ensures that when using Affinity Assistant, one can adhere to restricted pod security standards.

Enables users to apply a container level securityContext for Affinity Assistants.
@kristofferchr kristofferchr force-pushed the 5-set-container-level-securitycontext-for-affinity-assistant branch from 2f787ae to 3173496 Compare August 30, 2024 09:37
@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/pipelinerun/affinity_assistant.go 96.9% 97.0% 0.1

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/pipelinerun/affinity_assistant.go 96.9% 97.0% 0.1

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/pipelinerun/affinity_assistant.go 96.9% 97.0% 0.1

@kristofferchr
Copy link
Contributor Author

kristofferchr commented Aug 30, 2024
edited
Loading

/test pull-tekton-pipeline-integration-tests

@kristofferchr
Copy link
Contributor Author

/test pull-tekton-pipeline-beta-integration-tests

@kristofferchr
Copy link
Contributor Author

/test pull-tekton-pipeline-go-coverage-df

@tekton-robot
Copy link
Collaborator

@kristofferchr: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

  • /test pull-tekton-pipeline-alpha-integration-tests
  • /test pull-tekton-pipeline-beta-integration-tests
  • /test pull-tekton-pipeline-build-tests
  • /test pull-tekton-pipeline-integration-tests
  • /test pull-tekton-pipeline-unit-tests

The following commands are available to trigger optional jobs:

  • /test pull-tekton-pipeline-go-coverage

Use /test all to run all jobs.

In response to this:

/test pull-tekton-pipeline-go-coverage-df

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@kristofferchr
Copy link
Contributor Author

@vdemeester need another /lgtm rebase changes again.

@tekton-robot
Copy link
Collaborator

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage-df to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/pipelinerun/affinity_assistant.go 96.9% 97.0% 0.1

@vdemeester
Copy link
Member

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Sep 18, 2024
@tekton-robot tekton-robot merged commit 0649270 into tektoncd:main Sep 18, 2024
1 check passed
@kristofferchr kristofferchr deleted the 5-set-container-level-securitycontext-for-affinity-assistant branch September 18, 2024 11:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vdemeester vdemeester vdemeester approved these changes

@abayer abayer Awaiting requested review from abayer

@afrittoli afrittoli Awaiting requested review from afrittoli

Assignees

@vdemeester vdemeester

@chitrangpatel chitrangpatel

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kristofferchr @tekton-robot @chitrangpatel @vdemeester