Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PodSecurity admission #103099

Merged
merged 16 commits into from
Jun 29, 2021
Merged

PodSecurity admission #103099

merged 16 commits into from
Jun 29, 2021

Conversation

liggitt
Copy link
Member

@liggitt liggitt commented Jun 22, 2021
edited
Loading

What type of PR is this?

/kind feature

What this PR does / why we need it:

Initial implementation of the core functionality for the PodSecurity feature

Special notes for your reviewer:

Best reviewed commit-by-commit. Commits are ordered by package dependency order.

Remaining follow-up tasks tracked in #103192

Fixes #103215

Fixes #103197

Does this PR introduce a user-facing change?

kube-apiserver: the alpha PodSecurity feature can be enabled by passing `--feature-gates=PodSecurity=true`, and enables controlling allowed pods using namespace labels. See https://git.k8s.io/enhancements/keps/sig-auth/2579-psp-replacement for more details.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

- [KEP]: https://git.k8s.io/enhancements/keps/sig-auth/2579-psp-replacement

/sig auth security

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. kind/feature Categorizes issue or PR as related to a new feature. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/security Categorizes an issue or PR as relevant to SIG Security. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. area/apiserver area/dependency Issues or PRs related to dependency changes labels Jun 22, 2021
@k8s-ci-robot k8s-ci-robot requested review from dchen1107, krmayankk and a team June 22, 2021 18:37
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. approved Indicates a PR has been approved by an approver from all required OWNERS files. sig/instrumentation Categorizes an issue or PR as relevant to SIG Instrumentation. sig/testing Categorizes an issue or PR as relevant to SIG Testing. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jun 22, 2021
@liggitt liggitt requested a review from deads2k June 22, 2021 18:37
@liggitt liggitt added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 22, 2021
@k8s-ci-robot k8s-ci-robot removed the sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. label Jun 22, 2021
@k8s-ci-robot k8s-ci-robot added area/release-eng Issues or PRs related to the Release Engineering subproject sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/release Categorizes an issue or PR as relevant to SIG Release. labels Jun 22, 2021
@k8s-ci-robot
Copy link
Contributor

New changes are detected. LGTM label has been removed.

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 28, 2021
@liggitt
Copy link
Member Author

liggitt commented Jun 28, 2021
edited
Loading

Dropped the "dropCapabilities" check from the initial PR because we're still debating whether to require dropping NET_RAW or ALL in 1.22 (https://docs.google.com/document/d/1Z26yS26z5saILHzj9nSvlbGOBJP_6c182Fl-vAi8AQY/edit#heading=h.jmjfcor83cb) - moved commits to https://github.com/liggitt/kubernetes/commits/podsecurity-dropcap to save them off

Remaining commits squashed and rebased on master

@liggitt
Copy link
Member Author

liggitt commented Jun 28, 2021

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 28, 2021
@liggitt
Copy link
Member Author

liggitt commented Jun 28, 2021

readding based on #103099 (comment)

checked offline, @enj indicated his review was non-blocking

@liggitt liggitt added lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. labels Jun 28, 2021
@k8s-ci-robot k8s-ci-robot removed the needs-priority Indicates a PR lacks a `priority/foo` label and requires one. label Jun 28, 2021
@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@k8s-ci-robot k8s-ci-robot merged commit d92f6c4 into kubernetes:master Jun 29, 2021
@liggitt liggitt deleted the podsecurity branch June 29, 2021 03:54
@pierluigilenoci
Copy link

Love it ❤️

@liggitt liggitt mentioned this pull request Jun 29, 2021
Closed
3 tasks
@tengqm tengqm mentioned this pull request Jun 30, 2021
Merged
@kolyshkin kolyshkin mentioned this pull request Jun 30, 2021
Merged
@barkbay barkbay mentioned this pull request Jul 21, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@deads2k deads2k deads2k left review comments

@tallclair tallclair tallclair left review comments

Assignees

@deads2k deads2k

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver area/dependency Issues or PRs related to dependency changes area/release-eng Issues or PRs related to the Release Engineering subproject area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/instrumentation Categorizes an issue or PR as relevant to SIG Instrumentation. sig/release Categorizes an issue or PR as relevant to SIG Release. sig/security Categorizes an issue or PR as relevant to SIG Security. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
v1.22
Development

Successfully merging this pull request may close these issues.

[PodSecurity] Implement PodSecurity framework & skeleton [PodSecurity] baseline - capabilities
7 participants
@liggitt @k8s-ci-robot @caesarxuchao @deads2k @tallclair @fejta-bot @pierluigilenoci