Pod SecurityContext Changes in 1.12.0-rc2 do not have backwards compatible defaults #69647
Comments
k8s-ci-robot
added
kind/bug
|
@MarcPow: There are no sig labels on this issue. Please add a sig label by either:
Note: Method 1 will trigger an email to the group. See the group list. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
My expectation would be that this would default to "securityContext.procMount: default" @jessfraz - This appears to be related to 30dcca6. I notice that you've put this behind a feature gate. I'll admit that I'm relatively new to Kubernetes. My expectation would be that new fields would default - but is there some convention that says for features of a certain size, or of a certain complexity, we default them to on, and then force backwards compatibility via feature disable? It's not my intent to buck standard approach here. |
|
What is it defaulting to for you now? It should default to default.
…On Wed, Oct 10, 2018 at 6:45 PM MarcPow ***@***.***> wrote:
My expectation would be that this would default to "securityContext.procMount: default"
@jessfraz - This appears to be related to 30dcca6.
I notice that you've put this behind a feature gate. I'll admit that I'm relatively new to Kubernetes. My expectation would be that new fields would default - but is there some convention that says for features of a certain size, or of a certain complexity, we default them to on, and then force backwards compatibility via feature disable? It's not my intent to buck standard approach here.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
--
Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu
|
|
It's not defaulting at all. In the presence of this older manifest definition: securityContext:
It's yelling at me that procMount is required. 2018-10-11T01:00:01.3680048Z error: error validating: error validating data: field spec.template.spec.containers[0].securityContext.procMount for v1.SecurityContext is required; if you choose to ignore these errors, turn validation off with --validate=false |
|
ah ok I will do a fix |
liggitt
changed the title
|
I'm also getting this error for the OpenFaaS helm chart with K8s 1.12. It's not clear from this thread what I need to do to fix this. Can anyone make a suggestion? cc @LucasRoesler @stefanprodan |
Is this a BUG REPORT or FEATURE REQUEST?:
/kind bug
What happened:
When deploying a Manifest that is compatible with 1.11.3 against a newly provisioned 1.12.0-rc2 cluster, older manifests no longer worked.
2018-10-11T01:00:01.3680048Z error: error validating: error validating data: field spec.template.spec.containers[0].securityContext.procMount for v1.SecurityContext is required; if you choose to ignore these errors, turn validation off with --validate=false
What you expected to happen:
1.11.3 compatible manifests should work against 1.12.0.rc-2
How to reproduce it (as minimally and precisely as possible):
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
name: traefik-ingress-controller
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
containers:
- image: traefik
name: traefik-ingress-lb
ports:
- name: http
containerPort: 80
hostPort: 5001
- name: admin
containerPort: 8080
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
args:
- --api
- --kubernetes
- --logLevel=INFO
Anything else we need to know?:
Environment:
kubectl version):Server Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.9", GitCommit:"57729ea3d9a1b75f3fc7bbbadc597ba707d47c8a", GitTreeState:"clean", BuildDate:"2018-06-29T01:07:01Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"
kubectl delivered by VSTS Build.
2018-10-11T00:59:54.7599385Z ##[section]Starting: Deploy Traefik Ingress
2018-10-11T00:59:54.7604992Z ==============================================================================
2018-10-11T00:59:54.7606132Z Task : Deploy to Kubernetes
2018-10-11T00:59:54.7606242Z Description : Deploy, configure, update your Kubernetes cluster in Azure Container Service by running kubectl commands.
2018-10-11T00:59:54.7606322Z Version : 0.1.31
2018-10-11T00:59:54.7606416Z Author : Microsoft Corporation
2018-10-11T00:59:54.7606512Z Help : More Information
2018-10-11T00:59:54.7606590Z ==============================================================================
The text was updated successfully, but these errors were encountered: