Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a configuration for SecurityContext to reconciled eventlistener Deployment #864

Closed
vdemeester opened this issue Dec 16, 2020 · 5 comments
Closed

Add a configuration for SecurityContext to reconciled eventlistener Deployment #864

vdemeester opened this issue Dec 16, 2020 · 5 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@vdemeester
Copy link
Member

With #862 is merged, eventlistener deployment are no more able to be created, by default on OpenShift.
The reason for it is that, by default, you cannot set uid for your Pods, OpenShift takes care of this. To be able to use runAsUser: 65532 on OpenShift, you need to use anyuid which is a higher privilege than you usually need to.

Before this change, the eventlistener pod(s), in OpenShift, would happily run with a random uid. With this change, the serviceAccount that runs the eventlistener pod(s) need to have the anyuid scc attached (see here)

The problem with #862 is that the behavior is not configurable, aka we can't disable it if we don't need it.
I propose to add a way to configure this behavior, most likely through a feature-flag (that would be enabled by default)
@vdemeester vdemeester added the kind/feature Categorizes issue or PR as related to a new feature. label Dec 16, 2020
@vdemeester vdemeester mentioned this issue Dec 16, 2020
Merged
3 tasks
@MarcelMue
Copy link
Member

I will try to provide a PR with a fix as I introduced the change.

@MarcelMue MarcelMue mentioned this issue Dec 16, 2020
Merged
4 tasks
@MarcelMue
Copy link
Member

PR which adds a flag is open now. My main concern is that I am unable to test this properly - so would rely on someone trying this on openshift.

@MarcelMue
Copy link
Member

I added some more unit tests and am fairly confident now, that this can be closed.

@vdemeester
Copy link
Member Author

/close

@tekton-robot
Copy link

@vdemeester: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vdemeester @MarcelMue @tekton-robot