[release-3.9] UPSTREAM: <carry>: Remove write permissions on daemonsets from Kubernetes bootstrap policy #18977
Conversation
…etes bootstrap policy Due to how daemonsets interact with the project node selector, we need to limit write access to them to the cluster admin. Bug 1536304 Bug 1501514 Signed-off-by: Monis Khan <[email protected]>
Bug 1536304 Bug 1501514 Signed-off-by: Monis Khan <[email protected]>
openshift-ci-robot
added
the
size/L
openshift-merge-robot
added
the
vendor-update
|
/lgtm |
|
/assign @mfojtik |
|
/test gcp |
|
/lgtm Tagging so we can get this in the queue ASAP. |
enj
added
approved
|
/test gcp |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/test extended_conformance_install |
|
This is 3.9 blocker, the flakes are unrelated to the changes and other tests are passing fine. @simo5 are you fine merging this via button? |
|
/lgtm It does what's on the tin, but I'm not completely sure you thought this through. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, enj, openshift-cherrypick-robot, tnozicka The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest |
|
@mfojtik go for it |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
Automatic merge from submit-queue. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
1 similar comment
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
3 similar comments
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
CI is borked. It will get stuck on #18987 anyways since the bot doesn't have permissions to merge. It already tried to merge this PR in #18977 (comment) @mfojtik @simo5 Someone likely needs to hit the green button to merge this in time. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
merging for michal |
|
Talking about it in aos, I'm less sure that the repercussions of this were fully considered. This breaks existing manifests in new clusters, it drifts from upstream, and it invalidates existing examples and manifest online, to correct a controller backoff problem? |
|
@openshift-cherrypick-robot: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
This is an automated cherry-pick of #18971
/assign tnozicka