Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Run test pods with readOnlyRootFileSystem: true #256

Merged
merged 1 commit into from
Dec 17, 2024
Merged

Run test pods with readOnlyRootFileSystem: true #256

merged 1 commit into from
Dec 17, 2024

Conversation

lpiwowar
Copy link
Collaborator

@lpiwowar lpiwowar commented Nov 28, 2024
edited
Loading

Up until now the test pods were being spawned with writable root
file system (readOnlyRootFilesystem: false). This is against the
best security practices as setting the readOnlyRootFileSystem to
false increases the size of the attack surface.

This patch ensures that each pod spawned by the test-operator has
the readOnlyRootFilesystem set to true by default. It is possible
to run a pod with writable roo file system by setting
privileged: true.

Depends-On: openstack-k8s-operators/tcib#233

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Nov 28, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@softwarefactory-project-zuul softwarefactory-project-zuul
Copy link

Merge Failed.

This change or one of its cross-repo dependencies was unable to be automatically merged with the current state of its repository. Please rebase the change and upload a new patchset.
Warning:
Error merging github.com/openstack-k8s-operators/tcib for 233,83d79be1074c83e028fb426f749af732f3684fb2

lpiwowar added a commit to lpiwowar/test-operator that referenced this pull request Nov 28, 2024
@lpiwowar
[Testing] readOnlyRootFileSystem
8daf05a 
Depends-On: openstack-k8s-operators#256
@lpiwowar lpiwowar mentioned this pull request Nov 28, 2024
Draft
@lpiwowar
Copy link
Collaborator Author

recheck

@softwarefactory-project-zuul softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/b80284a9580e4e9da36a39b26e15515e

✔️ openstack-k8s-operators-content-provider SUCCESS in 3h 38m 32s
podified-multinode-edpm-deployment-crc-test-operator TIMED_OUT in 3h 12m 07s

lpiwowar added a commit to lpiwowar/test-operator that referenced this pull request Nov 29, 2024
@lpiwowar
[Testing] readOnlyRootFileSystem
27d1706 
Depends-On: openstack-k8s-operators#256
@lpiwowar lpiwowar force-pushed the readOnlyRootFilesystem branch from cb6b5b1 to 4edf588 Compare November 29, 2024 14:49
lpiwowar added a commit to lpiwowar/test-operator that referenced this pull request Nov 29, 2024
@lpiwowar
[Testing] readOnlyRootFileSystem
6823cfd 
Depends-On: openstack-k8s-operators#256
@softwarefactory-project-zuul softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/cf6b24dd75da42609e6384cda6085b97

✔️ openstack-k8s-operators-content-provider SUCCESS in 3h 26m 48s
podified-multinode-edpm-deployment-crc-test-operator TIMED_OUT in 3h 11m 23s

lpiwowar added a commit to lpiwowar/test-operator that referenced this pull request Dec 2, 2024
@lpiwowar
[Testing] readOnlyRootFileSystem
497ea3a 
Depends-On: openstack-k8s-operators#256
lpiwowar added a commit to lpiwowar/test-operator that referenced this pull request Dec 6, 2024
@lpiwowar
[Testing] readOnlyRootFileSystem
2ced73e 
Depends-On: openstack-k8s-operators#256
@lpiwowar
Copy link
Collaborator Author

lpiwowar commented Dec 9, 2024

/test all

@lpiwowar
Copy link
Collaborator Author

lpiwowar commented Dec 9, 2024

recheck

@softwarefactory-project-zuul softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/785b677ae6284477827d3665f605b0f9

✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 53m 42s
podified-multinode-edpm-deployment-crc-test-operator FAILURE in 1h 43m 46s

@lpiwowar
Copy link
Collaborator Author

lpiwowar commented Dec 9, 2024

recheck

@softwarefactory-project-zuul softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/456573d5794742f593cac02cb634c405

✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 57m 02s
podified-multinode-edpm-deployment-crc-test-operator FAILURE in 1h 43m 00s

@lpiwowar lpiwowar force-pushed the readOnlyRootFilesystem branch from 4edf588 to f9a66cc Compare December 10, 2024 09:18
@lpiwowar lpiwowar marked this pull request as ready for review December 10, 2024 09:19
@openshift-ci openshift-ci bot requested review from kopecmartin and stuggi December 10, 2024 09:19
@lpiwowar lpiwowar removed the request for review from stuggi December 10, 2024 09:20
@lpiwowar lpiwowar mentioned this pull request Dec 10, 2024
Merged
@lpiwowar
Run test pods with readOnlyRootFileSystem: true
046eae0 
Up until now the test pods were being spawned with writable root
file system (readOnlyRootFilesystem: false). This is against the
best security practices as setting the readOnlyRootFileSystem to
false increases the size of the attack surface.

This patch ensures that each pod spawned by the test-operator has
the readOnlyRootFilesystem set to true by default. It is possible
to run a pod with writable roo file system by setting
privileged: true.

Depends-On: openstack-k8s-operators/tcib#233
@lpiwowar lpiwowar force-pushed the readOnlyRootFilesystem branch from f9a66cc to 046eae0 Compare December 10, 2024 09:31
@lpiwowar
Copy link
Collaborator Author

/test test-operator-build-deploy

@softwarefactory-project-zuul softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/751a5477abbb4697aac1ef6ed4d16970

✔️ openstack-k8s-operators-content-provider SUCCESS in 3h 20m 59s
podified-multinode-edpm-deployment-crc-test-operator TIMED_OUT in 3h 10m 59s

@lpiwowar
Copy link
Collaborator Author

The promotion for the podified-antelope-centos9 did not pass yesterday (tcib image does not contain the fix yet):

-> We have to wait.

@lpiwowar
Copy link
Collaborator Author

/test test-operator-build-deploy

@lpiwowar
Copy link
Collaborator Author

recheck

promotion finally passed

kopecmartin
kopecmartin approved these changes Dec 17, 2024
View reviewed changes
Copy link
Collaborator

@kopecmartin kopecmartin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, thanks Lukas

@openshift-ci openshift-ci bot added the lgtm label Dec 17, 2024
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Dec 17, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kopecmartin, lpiwowar

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [kopecmartin,lpiwowar]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot bot merged commit 7797cdf into openstack-k8s-operators:main Dec 17, 2024
8 checks passed
@lpiwowar lpiwowar deleted the readOnlyRootFilesystem branch December 17, 2024 16:04
@lpiwowar lpiwowar mentioned this pull request Jan 14, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kopecmartin kopecmartin kopecmartin approved these changes

Assignees

@kopecmartin kopecmartin

Labels
approved lgtm Ready For Review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lpiwowar @kopecmartin @openshift-merge-robot