Disable insecure parameters by default #263
Conversation
lpiwowar
force-pushed
the
bugfix/runAsNonroot-and-automountServiceAccountToken
branch
from
b20e5cb to
8d0607b
Compare
|
Build failed (check pipeline). Post https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/1511969714454c25b9f8679ed3f6acee ✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 57m 07s |
|
recheck |
lpiwowar
force-pushed
the
bugfix/runAsNonroot-and-automountServiceAccountToken
branch
from
8d0607b to
038565e
Compare
|
/hold Let's first merge this one -> #256 |
|
/test test-operator-build-deploy |
3 similar comments
|
/test test-operator-build-deploy |
|
/test test-operator-build-deploy |
|
/test test-operator-build-deploy |
lpiwowar
force-pushed
the
bugfix/runAsNonroot-and-automountServiceAccountToken
branch
from
038565e to
66556b3
Compare
|
Build failed (check pipeline). Post https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/63a494005974489c8906dbd188e0957d ✔️ openstack-k8s-operators-content-provider SUCCESS in 2h 47m 05s |
lpiwowar
force-pushed
the
bugfix/runAsNonroot-and-automountServiceAccountToken
branch
from
66556b3 to
1827a7f
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kstrenkova, lpiwowar The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@kstrenkova thank you for the review! 🎉 Can you please run the test-operator locally with this change and execute some smoke tests with it?:) I'm going to remove the |
|
I have run this pr locally for Tempest and Tobiko. The changes seem to be working, so in my opinion lgtm. |
This patch sets by default for all test pods: - runAsNonRoot: true - automountServiceAccountToken: false These two parameters shouldn't be enabled unless necessary for any pods in the OCP cluster. The runAsNonRoot parameter ensures that the container process does not run as root nor does it switch to root user after it has been spawned. And the automountServiceAccountToken makes sure that we are not mounting service account tokens into the test pods. This would allow them to modify the state of the OCP cluster. As of now the service account tokens are not required by any of the test pods. This behavior can be overridden by setting privileged: true.
The epectedFailuresList parameter was added as part of this PR [1] but unfortunatel it was not added to the CSV. This commit fixes that. [1] openstack-k8s-operators#233
lpiwowar
force-pushed
the
bugfix/runAsNonroot-and-automountServiceAccountToken
branch
from
1827a7f to
0a23722
Compare
|
/lgtm |
openshift-merge-bot
bot
merged commit 0da95da
into
openstack-k8s-operators:main
This patch sets by default for all test pods:
runAsNonRoot: trueautomountServiceAccountToken: falseThese two parameters shouldn't be enabled unless necessary for any
pods in the OCP cluster. The runAsNonRoot parameter ensures that
the container process does not run as root nor does it switch to
root user after it has been spawned.
And the automountServiceAccountToken makes sure that we are not
mounting service account tokens into the test pods. This would
allow them to modify the state of the OCP cluster. As of now the
service account tokens are not required by any of the test pods.
This behavior can be overridden by setting
privileged: true.