Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PodSecurity] Warn when adding PSA labels to exempt namespaces #109680

Merged
merged 1 commit into from May 18, 2022
Merged

[PodSecurity] Warn when adding PSA labels to exempt namespaces #109680

merged 1 commit into from May 18, 2022

Conversation

tallclair
Copy link
Member

What type of PR is this?

/kind feature

What this PR does / why we need it:

Return a warning when adding or updating a non-privileged Pod Security label on an exempted namespace.

  • Adding or updating a version label on a privileged namespace doesn't warn, but doing so on a non-privileged NS does

The exempt audit annotation is no longer included on update namespace requests on exempt namespaces. It's usage was inconsistent (didn't apply to create), and is less relevant to namespace operations (we're not bypassing the policy).

Which issue(s) this PR fixes:

Fixes #109549

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Return a warning when applying a pod-security.kubernetes.io label to a PodSecurity-exempted namespace.
Stop including the pod-security.kubernetes.io/exempt=namespace audit annotation on namespace requests.

/sig auth
/milestone v1.25
/assign @liggitt

@k8s-ci-robot k8s-ci-robot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Apr 26, 2022
@k8s-ci-robot
Copy link
Contributor

Please note that we're already in Test Freeze for the release-1.24 branch. This means every merged PR has to be cherry-picked into the release branch to be part of the upcoming v1.24.0 release.

@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. sig/auth Categorizes an issue or PR as relevant to SIG Auth. labels Apr 26, 2022
@k8s-ci-robot k8s-ci-robot added this to the v1.25 milestone Apr 26, 2022
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Apr 26, 2022
@k8s-ci-robot
Copy link
Contributor

@tallclair: This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-priority Indicates a PR lacks a `priority/foo` label and requires one. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Apr 26, 2022
@tallclair tallclair added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label May 2, 2022
@tallclair
Copy link
Member Author

/retest

1 similar comment
@tallclair
Copy link
Member Author

/retest

@enj enj added this to Needs Triage in SIG Auth Old May 13, 2022
@liggitt liggitt added this to In Review in SIG-Auth: PodSecurity via automation May 17, 2022
@liggitt
Copy link
Member

liggitt commented May 17, 2022

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 17, 2022
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, tallclair

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 17, 2022
@k8s-ci-robot
Copy link
Contributor

New changes are detected. LGTM label has been removed.

@tallclair
Copy link
Member Author

Trivial test fix, adding back lgtm.

@tallclair tallclair added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 17, 2022
@k8s-triage-robot
Copy link

The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass.

This bot retests PRs for certain kubernetes repos according to the following rules:

  • The PR does have any do-not-merge/* labels
  • The PR does not have the needs-ok-to-test label
  • The PR is mergeable (does not have a needs-rebase label)
  • The PR is approved (has cncf-cla: yes, lgtm, approved labels)
  • The PR is failing tests required for merge

You can:

/retest

@k8s-ci-robot k8s-ci-robot merged commit eb88dae into kubernetes:master May 18, 2022
SIG Auth Old automation moved this from Needs Triage to Closed / Done May 18, 2022
SIG-Auth: PodSecurity automation moved this from In Review to Done (1.25) May 18, 2022
muyangren2 pushed a commit to muyangren2/kubernetes that referenced this pull request Jul 14, 2022
@tallclair @muyangren2
Warn when adding PSA labels to exempt namespaces (kubernetes#109680)
c75b049
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liggitt liggitt liggitt left review comments

@deads2k deads2k Awaiting requested review from deads2k

Assignees

@liggitt liggitt

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges.
Projects
SIG Auth
Archived in project
SIG-Auth: PodSecurity
Done (1.25)
SIG Auth Old
Closed / Done
Milestone
v1.25
Development

Successfully merging this pull request may close these issues.

[PodSecurity] Warn when labeling exempt namespaces
4 participants
@tallclair @k8s-ci-robot @liggitt @k8s-triage-robot