Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[1.24] add "add_inheritable_capabilities" option #6260

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-robot merged 3 commits into from
Oct 7, 2022
Merged

[1.24] add "add_inheritable_capabilities" option #6260

openshift-merge-robot merged 3 commits into from
Oct 7, 2022

Conversation

@haircommander
Copy link
Member

@haircommander haircommander commented Sep 28, 2022

What type of PR is this?

/kind feature

What this PR does / why we need it:

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Add an option "add_inheritable_capabilities" which adds added capabilities to the inheritable list as well. As of CRI-O 1.25.1, CRI-O drops the inheritable capabilities to fix CVE-2022-27652 . However, this can cause regressions in workloads that attempt to pass capabilities to non-root users through inheritable capabilities. It defaults to true.

@openshift-ci openshift-ci bot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Sep 28, 2022
@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 28, 2022
@openshift-ci openshift-ci bot added dco-signoff: no Indicates the PR's author has not DCO signed all their commits. kind/feature Categorizes issue or PR as related to a new feature. labels Sep 28, 2022
@openshift-ci openshift-ci bot requested review from QiWang19 and klihub September 28, 2022 16:17
@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 28, 2022
@haircommander haircommander changed the base branch from main to release-1.24 September 28, 2022 16:18
@haircommander haircommander force-pushed the add-inheritable-capabilities-1.24 branch from 0fcf8fe to 7ec6bc7 Compare September 28, 2022 16:19
@openshift-ci openshift-ci bot added dco-signoff: yes Indicates the PR's author has DCO signed all their commits. and removed dco-signoff: no Indicates the PR's author has not DCO signed all their commits. labels Sep 28, 2022
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 28, 2022
@haircommander haircommander mentioned this pull request Sep 28, 2022
Merged
@haircommander haircommander force-pushed the add-inheritable-capabilities-1.24 branch 2 times, most recently from 8a07b4d to afa76a8 Compare September 29, 2022 18:11
@codecov
Copy link

codecov bot commented Sep 29, 2022
edited
Loading

Codecov Report

Merging #6260 (bab3681) into release-1.24 (ac6f687) will decrease coverage by 0.02%.
The diff coverage is 28.57%.

Additional details and impacted files 
@@               Coverage Diff                @@
##           release-1.24    #6260      +/-   ##
================================================
- Coverage         42.85%   42.82%   -0.03%     
================================================
  Files               124      124              
  Lines             12690    12715      +25     
================================================
+ Hits               5438     5445       +7     
- Misses             6730     6744      +14     
- Partials            522      526       +4

@haircommander haircommander force-pushed the add-inheritable-capabilities-1.24 branch 2 times, most recently from 9d7fbb0 to 98cf54c Compare September 30, 2022 13:34
@haircommander haircommander force-pushed the add-inheritable-capabilities-1.24 branch from 98cf54c to bab3681 Compare September 30, 2022 16:38
@haircommander
Copy link
Member Author

haircommander commented Oct 6, 2022

@saschagrunert PTAL

@haircommander haircommander mentioned this pull request Oct 6, 2022
Merged
saschagrunert
saschagrunert approved these changes Oct 7, 2022
View reviewed changes
Copy link
Member

@saschagrunert saschagrunert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Oct 7, 2022
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 7, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: haircommander, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [haircommander,saschagrunert]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 7, 2022
edited
Loading

@haircommander: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/ci-images 0fcf8fe link true /test ci-images

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@haircommander
Copy link
Member Author

haircommander commented Oct 7, 2022

/retest

@haircommander
Copy link
Member Author

haircommander commented Oct 7, 2022

/override ci/prow/e2e-gcp

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 7, 2022

@haircommander: Overrode contexts on behalf of haircommander: ci/prow/e2e-gcp

Details

In response to this:

/override ci/prow/e2e-gcp

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-merge-robot openshift-merge-robot merged commit 4ab920f into cri-o:release-1.24 Oct 7, 2022
This was referenced Oct 22, 2023
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@saschagrunert saschagrunert saschagrunert approved these changes

@fidencio fidencio Awaiting requested review from fidencio

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@runcom runcom Awaiting requested review from runcom runcom is a code owner

@klihub klihub Awaiting requested review from klihub

@QiWang19 QiWang19 Awaiting requested review from QiWang19

Assignees

@saschagrunert saschagrunert

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@haircommander @saschagrunert @openshift-merge-robot