Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deployment: carry over the securityContext from deployer to lifecycle hooks #12733

Merged
merged 1 commit into from
Apr 6, 2017
Merged

deployment: carry over the securityContext from deployer to lifecycle hooks #12733

merged 1 commit into from
Apr 6, 2017

Conversation

mfojtik
Copy link
Contributor

@mfojtik mfojtik commented Jan 31, 2017

Fixes: #12103

@mfojtik
Copy link
Contributor Author

mfojtik commented Jan 31, 2017

@pweil- @Kargakis FYI

@0xmichalis
Copy link
Contributor

There was some discussion upstream related to securityContext for contaienrs being broken but I can't remember if it was an issue or from the mailing list.

@mfojtik
Copy link
Contributor Author

mfojtik commented Jan 31, 2017

@Kargakis if it was broken the deployer pod won't be working?

@0xmichalis
Copy link
Contributor

Not necessarily. Found the discussion: kubernetes/kubeadm#107

@mfojtik
Copy link
Contributor Author

mfojtik commented Feb 1, 2017

@pweil- @php-coder can you confirm the securityContext is broken for SELinux?

@Kargakis also it is possible to set securityContext for the deployer pod? If not we are just copying nil.

@pweil-
Copy link

pweil- commented Feb 1, 2017

can you confirm the securityContext is broken for SELinux?

looks like this was new to 1.12.5/1.13

pweil-
pweil- reviewed Feb 1, 2017
View reviewed changes
pkg/deploy/strategy/support/lifecycle.go Outdated
@@ -397,6 +397,7 @@ func makeHookPod(hook *deployapi.LifecycleHook, rc *kapi.ReplicationController,
Env: mergedEnv,
Resources: resources,
VolumeMounts: volumeMounts,
SecurityContext: baseContainer.SecurityContext,
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is a pointer, should we be making a copy?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes and should not be copied from baseContainer but from the deployment config...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pweil- fixed. finally ;)

@mfojtik mfojtik force-pushed the lifecycle_security branch 3 times, most recently from a67f146 to a9b8931 Compare February 14, 2017 20:59
@mfojtik
Copy link
Contributor Author

mfojtik commented Feb 14, 2017

[test]

@pweil- updated, ptal

pweil-
pweil- reviewed Feb 14, 2017
View reviewed changes
pkg/deploy/strategy/support/lifecycle.go Outdated
@@ -375,6 +375,11 @@ func makeHookPod(hook *deployapi.LifecycleHook, rc *kapi.ReplicationController,

gracePeriod := int64(10)

podSecurityContext, err := kapi.Scheme.DeepCopy(rc.Spec.Template.Spec.SecurityContext)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mfojtik @Kargakis so the pod SC and the container SC can differ. The lifecycle hook targets a container to get the image. Do you think it is reasonable to use the container SC as well? Ie. set both the pod SC and container SC or just the pod SC.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pweil- if DC has RC with more than 1 container, which one will you pick for the hook pod? ;-)

Copy link

@pweil- pweil- Feb 14, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you have to tell the hook pod the container name so it knows the image to use. That would be unique

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed

@mfojtik mfojtik force-pushed the lifecycle_security branch 2 times, most recently from 8d9383e to 38576ca Compare February 15, 2017 09:07
@mfojtik mfojtik force-pushed the lifecycle_security branch from 38576ca to d026451 Compare April 5, 2017 11:41
@mfojtik
Copy link
Contributor Author

mfojtik commented Apr 5, 2017

@pweil- updated, PTAL :)

@openshift-bot
Copy link
Contributor

Evaluated for origin test up to d026451

@openshift-bot
Copy link
Contributor

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/569/) (Base Commit: 801b564)

@php-coder
Copy link
Contributor

I'd also update the comment here:

origin/pkg/deploy/strategy/support/lifecycle.go

Lines 176 to 181 in 83e3250

// The hook pod inherits the following from the container the hook refers to:
//
// * Environment (hook keys take precedence)
// * Working directory
// * Resources
func (e *hookExecutor) executeExecNewPod(hook *deployapi.LifecycleHook, rc *kapi.ReplicationController, suffix, label string) error {

@mfojtik
Copy link
Contributor Author

mfojtik commented Apr 6, 2017
edited
Loading

good catch. (but will fix in next PR because I don't want to ruin the green test run of this ;-)

@mfojtik
Copy link
Contributor Author

mfojtik commented Apr 6, 2017

[merge]

@openshift-bot
Copy link
Contributor

Evaluated for origin merge up to d026451

@openshift-bot
Copy link
Contributor

openshift-bot commented Apr 6, 2017
edited
Loading

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/569/) (Base Commit: ed285a1) (Image: devenv-rhel7_6119)

@openshift-bot openshift-bot merged commit b7a5b0f into openshift:master Apr 6, 2017
@stevekuznetsov stevekuznetsov mentioned this pull request Apr 6, 2017
Closed
@mfojtik mfojtik deleted the lifecycle_security branch September 5, 2018 21:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pweil- pweil- pweil- left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@mfojtik @0xmichalis @pweil- @openshift-bot @php-coder