Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PodSecurity] Implement host ports check #103314

Merged
merged 1 commit into from
Jun 30, 2021
Merged

[PodSecurity] Implement host ports check #103314

merged 1 commit into from
Jun 30, 2021

Conversation

PushkarJ
Copy link
Member

@PushkarJ PushkarJ commented Jun 29, 2021
edited by liggitt
Loading

What type of PR is this?

/kind feature

What this PR does / why we need it:

Applies to baseline policy. Since host ports is a niche feature, usage of any host ports is forbidden for either app container or init container

Which issue(s) this PR fixes:

Fixes #103199

Special notes for your reviewer:

NONE

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

- [KEP]: https://git.k8s.io/enhancements/keps/sig-auth/2579-psp-replacement

/sig auth security

@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/security Categorizes an issue or PR as relevant to SIG Security. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Jun 29, 2021
@PushkarJ
Copy link
Member Author

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jun 29, 2021
@liggitt
Copy link
Member

liggitt commented Jun 29, 2021

thanks for the quick turnaround!

@liggitt liggitt added this to the v1.22 milestone Jun 29, 2021
@liggitt liggitt self-assigned this Jun 29, 2021
@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Jun 29, 2021
@liggitt
Copy link
Member

liggitt commented Jun 30, 2021

once the test fixtures get trimmed down, looks like this also needs hack/update-gofmt.sh run on it. go ahead and squash to a single commit to streamline merge

@PushkarJ PushkarJ force-pushed the psp-hostports branch 4 times, most recently from 9d34e59 to 9047048 Compare June 30, 2021 16:25
@PushkarJ
[PodSecurity] Implement host ports check
d57e143 
Applies to baseline policy. Since host ports is
a niche feature, usage of any host ports is
forbidden for either app container or init container

Refactored two fixtures into one for non-host ports in app container and init container

Fixes based on PR feedback
- remove no-op if check,
- use correct Int32 list for hostPort
- remove ensureHostPorts func

Removed redundant fixtures as per PR feedback

Removed minimal valid pod

Updates after gofmt
@PushkarJ
Copy link
Member Author

once the test fixtures get trimmed down, looks like this also needs hack/update-gofmt.sh run on it. go ahead and squash to a single commit to streamline merge

@liggitt Trimmed the fixtures, ran gofmt, regenerated fixtures, ran tests again (passing), squashed and rebased to single commit. Waiting for CI jobs now to pass

@liggitt
Copy link
Member

liggitt commented Jun 30, 2021

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 30, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, PushkarJ

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 30, 2021
@PushkarJ
Copy link
Member Author

/priority important-soon

@k8s-ci-robot k8s-ci-robot added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. and removed needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Jun 30, 2021
@k8s-ci-robot k8s-ci-robot merged commit 4dc82f9 into kubernetes:master Jun 30, 2021
@liggitt liggitt mentioned this pull request Jul 10, 2021
Closed
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liggitt liggitt liggitt left review comments

@krmayankk krmayankk Awaiting requested review from krmayankk

Assignees

@liggitt liggitt

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note-none Denotes a PR that doesn't merit a release note. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/security Categorizes an issue or PR as relevant to SIG Security. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
v1.22
Development

Successfully merging this pull request may close these issues.

[PodSecurity] baseline - hostPorts
3 participants
@PushkarJ @liggitt @k8s-ci-robot