Skip to content

Add securityContext & disable hostNetwork in cronjob helm template #33077

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 17, 2024
Merged

Add securityContext & disable hostNetwork in cronjob helm template #33077

merged 2 commits into from
Jun 17, 2024

Conversation

Sindvero
Copy link
Contributor

@Sindvero Sindvero commented Jun 11, 2024
edited
Loading

Please ensure your pull request adheres to the following guidelines:

  • For first time contributors, read Submitting a pull request
  • All code is covered by unit and/or runtime tests where feasible.
  • All commits contain a well written commit description including a title,
    description and a Fixes: #XXX line if the commit addresses a particular
    GitHub issue.
  • If your commit description contains a Fixes: <commit-id> tag, then
    please add the commit author[s] as reviewer[s] to this issue.
  • All commits are signed off. See the section Developer’s Certificate of Origin
  • Provide a title or release-note blurb suitable for the release notes.
  • Are you a user of Cilium? Please add yourself to the Users doc
  • Thanks for contributing!

Add securityContext and disable hostNetwork for cronjob helm template to follow best security practice.
Fixes: N/A

@Sindvero Sindvero requested review from a team as code owners June 11, 2024 22:07
@maintainer-s-little-helper
Copy link

Commit 16c1d34 does not match "(?m)^Signed-off-by:".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

@maintainer-s-little-helper maintainer-s-little-helper bot added dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Jun 11, 2024
@github-actions github-actions bot added the kind/community-contribution This was a contribution made by a community member. label Jun 11, 2024
@Sindvero Sindvero force-pushed the pr/change-cronjob-helm-template branch from 16c1d34 to 18969aa Compare June 11, 2024 22:12
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. label Jun 11, 2024
chancez
chancez approved these changes Jun 12, 2024
View reviewed changes
Copy link
Contributor

@chancez chancez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems reasonable. I don't see any reasons that we need hostNetworking or extra privileges.

aanm
aanm reviewed Jun 12, 2024
View reviewed changes
@rolinh rolinh added sig/hubble release-note/misc This PR makes changes that have no direct user impact. labels Jun 13, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jun 13, 2024
@rolinh rolinh added the area/helm Impacts helm charts and user deployment experience label Jun 13, 2024
@dylandreimerink
Copy link
Member

/test

@aanm aanm force-pushed the pr/change-cronjob-helm-template branch from 8896a52 to b84059f Compare June 13, 2024 11:52
@aanm aanm enabled auto-merge June 13, 2024 11:52
@aanm
Copy link
Member

aanm commented Jun 13, 2024

/test

squeed
squeed approved these changes Jun 13, 2024
View reviewed changes
Copy link
Contributor

@squeed squeed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The agent already can start without hubble certificates, which breaks the chicken-and-egg problem, so hostNetwork: false is not a problem here. Nice!

@maintainer-s-little-helper
Copy link

Commit 9e4ff99 does not match "(?m)^Signed-off-by:".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. label Jun 13, 2024
@Sindvero
Copy link
Contributor Author

I updated the branch with github UI, but not sure how to add the signoff there, may worth to ignore

@chancez
Copy link
Contributor

chancez commented Jun 13, 2024

I updated the branch with github UI, but not sure how to add the signoff there, may worth to ignore

You need to do this locally and amend your commit with the sign-off.

@maintainer-s-little-helper
Copy link

Commits 9e4ff99, 91b0e28 do not match "(?m)^Signed-off-by:".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

auto-merge was automatically disabled June 13, 2024 17:31

Head branch was pushed to by a user without write access

@aanm aanm added this pull request to the merge queue Jun 17, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jun 17, 2024
Merged via the queue into cilium:main with commit badf925 Jun 17, 2024
sathieu added a commit to sathieu/cilium that referenced this pull request Jul 31, 2024
@sathieu
Fix appArmorProfile condition for CronJob helm template
6d632c2 
See cilium#33077

Signed-off-by: Mathieu Parent <math.parent@gmail.com>
@sathieu sathieu mentioned this pull request Jul 31, 2024
Merged
8 tasks
sathieu
sathieu reviewed Jul 31, 2024
View reviewed changes
install/kubernetes/cilium/templates/hubble/tls-cronjob/_job-spec.tpl
@@ -9,10 +9,22 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
securityContext:
{{- if semverCompare "<1.30.0" (printf "%d.%d.0" (semver .Capabilities.KubeVersion.Version).Major (semver .Capabilities.KubeVersion.Version).Minor) }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The condition is reversed. See #34100.

sathieu added a commit to sathieu/cilium that referenced this pull request Aug 6, 2024
@sathieu
Fix appArmorProfile condition for CronJob helm template
228e0f3 
See cilium#33077

Signed-off-by: Mathieu Parent <math.parent@gmail.com>
sathieu added a commit to sathieu/cilium that referenced this pull request Aug 6, 2024
@sathieu
Remove appArmorProfile from CronJob helm template
0bc9905 
The condition is reversed, and fixing it breaks CI.

See cilium#33077

Signed-off-by: Mathieu Parent <math.parent@gmail.com>
sathieu added a commit to sathieu/cilium that referenced this pull request Aug 6, 2024
@sathieu
Remove appArmorProfile from CronJob helm template
df5352a 
The condition is reversed, and fixing it breaks CI.

See cilium#33077

Signed-off-by: Mathieu Parent <math.parent@gmail.com>
github-merge-queue bot pushed a commit that referenced this pull request Aug 9, 2024
@sathieu @rolinh
Remove appArmorProfile from CronJob helm template
55c44d6 
The condition is reversed, and fixing it breaks CI.

See #33077

Signed-off-by: Mathieu Parent <math.parent@gmail.com>
jschwinger233 pushed a commit that referenced this pull request Aug 12, 2024
@sathieu @jschwinger233
Remove appArmorProfile from CronJob helm template
9d05c28 
[ upstream commit 55c44d6 ]

The condition is reversed, and fixing it breaks CI.

See #33077

Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Signed-off-by: gray <greyschwinger@gmail.com>
github-merge-queue bot pushed a commit that referenced this pull request Aug 13, 2024
@sathieu @aanm
Remove appArmorProfile from CronJob helm template
7d8b60b 
[ upstream commit 55c44d6 ]

The condition is reversed, and fixing it breaks CI.

See #33077

Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Signed-off-by: gray <greyschwinger@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chancez chancez chancez approved these changes

@squeed squeed squeed approved these changes

@rolinh rolinh rolinh approved these changes

@aanm aanm aanm approved these changes

+1 more reviewer

@sathieu sathieu sathieu left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
area/helm Impacts helm charts and user deployment experience kind/community-contribution This was a contribution made by a community member. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@Sindvero @dylandreimerink @aanm @chancez @squeed @sathieu @rolinh