Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[1.25] annotations: add OCI runtime specific annotations to the AllowedAnnotions #8090

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-bot merged 3 commits into from
Apr 30, 2024
Merged

[1.25] annotations: add OCI runtime specific annotations to the AllowedAnnotions #8090

openshift-merge-bot merged 3 commits into from
Apr 30, 2024

Conversation

@haircommander
Copy link
Member

@haircommander haircommander commented Apr 29, 2024

meaning an admin would have to opt-into allowing them to be used

What type of PR is this?

/kind bug

What this PR does / why we need it:

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Fix a security flaw where CRI-O allowed users to specify annotations that changed specific fields in the runtime. One consequence is a user can change the systemd properties of the container, allowing unsafe properties to be set by the runtime

@openshift-ci openshift-ci bot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Apr 29, 2024
@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 29, 2024
@openshift-ci openshift-ci bot added dco-signoff: no Indicates the PR's author has not DCO signed all their commits. kind/bug Categorizes issue or PR as related to a bug. labels Apr 29, 2024
@haircommander haircommander changed the base branch from main to release-1.25 April 29, 2024 19:25
@haircommander haircommander requested a review from runcom as a code owner April 29, 2024 19:25
@openshift-ci openshift-ci bot requested review from QiWang19 and klihub April 29, 2024 19:25
@cri-o cri-o deleted a comment from openshift-ci bot Apr 29, 2024
@cri-o cri-o deleted a comment from openshift-merge-robot Apr 29, 2024
@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 29, 2024
@haircommander
annotations: add OCI runtime specific annotations to the AllowedAnnot…
91af1dd 
…ations

meaning an admin would have to opt-into allowing them to be used.

Signed-off-by: Peter Hunt <[email protected]>
@haircommander
fix typo and lints of CVE-2024-3154 fix
0586376 
Signed-off-by: Peter Hunt <[email protected]>
@openshift-ci openshift-ci bot added dco-signoff: yes Indicates the PR's author has DCO signed all their commits. and removed dco-signoff: no Indicates the PR's author has not DCO signed all their commits. labels Apr 29, 2024
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 29, 2024
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Apr 29, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: haircommander

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@codecov
Copy link

codecov bot commented Apr 29, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 43.63%. Comparing base (f71bd94) to head (db3030d).
Report is 4 commits behind head on release-1.25.

Additional details and impacted files 
@@              Coverage Diff              @@
##           release-1.25    #8090   +/-   ##
=============================================
  Coverage         43.63%   43.63%           
=============================================
  Files               122      122           
  Lines             13713    13749   +36     
=============================================
+ Hits               5984     6000   +16     
- Misses             7091     7108   +17     
- Partials            638      641    +3

@sohankunkerkar
Copy link
Member

sohankunkerkar commented Apr 30, 2024

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Apr 30, 2024
@openshift-merge-bot openshift-merge-bot bot merged commit 97431e1 into cri-o:release-1.25 Apr 30, 2024
fabiand added a commit to openshift-virtualization/wasp-agent that referenced this pull request May 17, 2024
@fabiand
hook: Match on pod name
d218d24 
Annotations are denylisted due to cri-o/cri-o#8090
and related

Signed-off-by: Fabian Deutsch <[email protected]>
@fabiand fabiand mentioned this pull request May 17, 2024
Merged
Barakmor1 pushed a commit to Barakmor1/wasp-agent that referenced this pull request Jul 14, 2024
@fabiand @Barakmor1
hook: Match on pod name
ad2020b 
Annotations are denylisted due to cri-o/cri-o#8090
and related

Signed-off-by: Fabian Deutsch <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fidencio fidencio Awaiting requested review from fidencio

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@runcom runcom Awaiting requested review from runcom runcom is a code owner

@klihub klihub Awaiting requested review from klihub

@QiWang19 QiWang19 Awaiting requested review from QiWang19

Assignees

@sohankunkerkar sohankunkerkar

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. kind/bug Categorizes issue or PR as related to a bug. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@haircommander @sohankunkerkar @openshift-merge-robot