Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mark net.ipv4.ip_unprivileged_port_start as a safe sysctl #103326

Merged
merged 1 commit into from
Jul 1, 2021
Merged

Mark net.ipv4.ip_unprivileged_port_start as a safe sysctl #103326

merged 1 commit into from
Jul 1, 2021

Conversation

pacoxu
Copy link
Member

@pacoxu pacoxu commented Jun 30, 2021
edited
Loading

What type of PR is this?

/kind feature
/sig node

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #103298

Special notes for your reviewer:

  • add net.ipv4.ip_unprivileged_port_start in safe sysctl list
  • permit in PodSecurity baseline profile

Does this PR introduce a user-facing change?

Mark net.ipv4.ip_unprivileged_port_start as safe sysctl

@k8s-ci-robot
Copy link
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. sig/node Categorizes an issue or PR as relevant to SIG Node. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. sig/auth Categorizes an issue or PR as relevant to SIG Auth. labels Jun 30, 2021
@k8s-ci-robot k8s-ci-robot requested review from deads2k and liggitt June 30, 2021 04:00
@pacoxu pacoxu marked this pull request as ready for review June 30, 2021 07:07
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 30, 2021
@pacoxu pacoxu mentioned this pull request Jul 1, 2021
Closed
@pacoxu
Copy link
Member Author

pacoxu commented Jul 1, 2021

baseline of PodSecurity is updated

/cc @liggitt @mrunalp @tallclair
/sig network security node auth
/priority important-soon
/triage accepted

@k8s-ci-robot k8s-ci-robot requested review from mrunalp and tallclair July 1, 2021 02:17
@k8s-ci-robot k8s-ci-robot added sig/network Categorizes an issue or PR as relevant to SIG Network. sig/security Categorizes an issue or PR as relevant to SIG Security. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jul 1, 2021
@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jul 1, 2021
liggitt
liggitt reviewed Jul 1, 2021
View reviewed changes
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/sysctls1.yaml
@@ -19,3 +19,5 @@ spec:
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you'll need to regenerate the testdata for all versions...

run UPDATE_POD_SECURITY_FIXTURE_DATA=true go test k8s.io/pod-security-admission/test to update test fixtures

@liggitt liggitt mentioned this pull request Jul 1, 2021
Closed
9 tasks
@liggitt
Copy link
Member

liggitt commented Jul 1, 2021

lgtm once testdata is updated and this has node reviewer ack

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jul 1, 2021
@njuptlzf njuptlzf mentioned this pull request Jul 1, 2021
Closed
@liggitt
Copy link
Member

liggitt commented Jul 1, 2021

/lgtm
/approve

/hold for node lgtm

@k8s-ci-robot k8s-ci-robot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. lgtm "Looks good to me", indicates that a PR is ready to be merged. labels Jul 1, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, pacoxu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 1, 2021
ehashman
ehashman reviewed Jul 1, 2021
View reviewed changes
Copy link
Member

@ehashman ehashman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://kubernetes.slack.com/archives/C0BP8PW9G/p1625112936019000?thread_ts=1625107459.017500&cid=C0BP8PW9G
#103298 (comment)

/lgtm
for Node

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 1, 2021
@ehashman
Copy link
Member

ehashman commented Jul 1, 2021

@pacoxu can we get a doc update PR as well?

@liggitt
Copy link
Member

liggitt commented Jul 1, 2021

@pacoxu can we get a doc update PR as well?

one update in kubernetes/website#28737 ... if there are other files that should be updated, can you comment there?

@k8s-ci-robot k8s-ci-robot merged commit b0af328 into kubernetes:master Jul 1, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.22 milestone Jul 1, 2021
@liggitt liggitt mentioned this pull request Jul 10, 2021
Closed
12 tasks
pacoxu added a commit to pacoxu/website that referenced this pull request Sep 28, 2021
@pacoxu
Add safe sysctl net.ipv4.ip_unprivileged_port_start
39d0870 
kubernetes/kubernetes#103326
@pacoxu pacoxu mentioned this pull request Sep 28, 2021
Merged
@Lykos153 Lykos153 mentioned this pull request Jan 28, 2022
Closed
4 tasks
@pacoxu pacoxu deleted the safe-sysctls branch May 10, 2022 06:30
@michaelbeaumont michaelbeaumont mentioned this pull request Jul 1, 2022
Merged
@pacoxu pacoxu mentioned this pull request Sep 1, 2022
Open
@masa213f masa213f mentioned this pull request Jan 31, 2023
Merged
@thockin thockin mentioned this pull request May 15, 2023
Closed
This was referenced Aug 6, 2024
Open
Draft
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liggitt liggitt liggitt left review comments

@ehashman ehashman ehashman left review comments

@deads2k deads2k Awaiting requested review from deads2k

@mrunalp mrunalp Awaiting requested review from mrunalp

@tallclair tallclair Awaiting requested review from tallclair

Assignees

@liggitt liggitt

@ehashman ehashman

@tallclair tallclair

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/network Categorizes an issue or PR as relevant to SIG Network. sig/node Categorizes an issue or PR as relevant to SIG Node. sig/security Categorizes an issue or PR as relevant to SIG Security. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Node: code and documentation PRs
Archived in project
Milestone
v1.22
Development

Successfully merging this pull request may close these issues.

Mark net.ipv4.ip_unprivileged_port_start as a safe sysctl
5 participants
@pacoxu @k8s-ci-robot @liggitt @ehashman @tallclair