Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Populate container.SecurityContext.RunAsUser when --user flag is used #1927

Merged
merged 2 commits into from
Apr 17, 2024
Merged

Populate container.SecurityContext.RunAsUser when --user flag is used #1927

merged 2 commits into from
Apr 17, 2024

Conversation

vyasgun
Copy link
Contributor

@vyasgun vyasgun commented Mar 21, 2024

Description

Changes

  • Setting container's RunAsUser field based on the --user flag at the end so it does not reinitialize the security context

Reference

Fixes #1926

Release Note

@knative-prow knative-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 21, 2024
knative-prow[bot]
knative-prow bot reviewed Mar 21, 2024
View reviewed changes
Copy link

@knative-prow knative-prow bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@vyasgun: 0 warnings.

In response to this:

Description

Changes

  • Setting container's RunAsUser field based on the --user flag at the end so it does not reinitialize the security context

Reference

Fixes #1926

Release Note

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@knative-prow knative-prow bot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Mar 21, 2024
@codecov Codecov
Copy link

codecov bot commented Mar 21, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 71.42857% with 2 lines in your changes are missing coverage. Please review.

Project coverage is 76.83%. Comparing base (9ef220c) to head (34e2c3f).
Report is 7 commits behind head on main.

Files Patch % Lines
pkg/kn/flags/podspec.go 50.00% 1 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1927      +/-   ##
==========================================
+ Coverage   74.58%   76.83%   +2.25%     
==========================================
  Files         207      207              
  Lines       15563    12753    -2810     
==========================================
- Hits        11607     9799    -1808     
+ Misses       3167     2165    -1002     
  Partials      789      789

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

dsimansk
dsimansk reviewed Mar 27, 2024
View reviewed changes
pkg/kn/flags/podspec.go
Comment on lines +414 to +420
if flags.Changed("user") {
err = UpdateUser(podSpec, p.User)
if err != nil {
return err
}
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason to change the order of evaluation here?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO it's very likely SC was override by UpdateSecurityContext.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The order of evaluation is causing the value of the user flag to get overwritten. I have created an issue for this: #1926

@dsimansk
Copy link
Contributor

It would be nice to have a simple unit tests for the change.

@dsimansk
Copy link
Contributor

dsimansk commented Apr 10, 2024
edited
Loading

@vyasgun gentle ping. If you could check my comments, pls. I'd like to make sure both --user flag and --security-context flags understand each other.

@dsimansk dsimansk self-assigned this Apr 10, 2024
@vyasgun
Copy link
Contributor Author

vyasgun commented Apr 12, 2024

Thanks for the review, @dsimansk! Updated the PR with a small change which will test both flags together.

@dsimansk
Copy link
Contributor

/approve
/lgtm

@knative-prow knative-prow bot added the lgtm Indicates that a PR is ready to be merged. label Apr 17, 2024
@knative-prow Knative Prow
Copy link

knative-prow bot commented Apr 17, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dsimansk, vyasgun

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@dsimansk
Copy link
Contributor

/retest

@dsimansk
Copy link
Contributor

@vyasgun I still have a small hesitation how to fix the issue actually. Maybe the --security-context should behave differently. To be able to merge with existing values etc.

@knative-prow knative-prow bot merged commit 80f5a9a into knative:main Apr 17, 2024
23 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knative-prow knative-prow[bot] knative-prow[bot] left review comments

@dsimansk dsimansk dsimansk left review comments

Assignees

@dsimansk dsimansk

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CLI: --user option does not work as expected
2 participants
@vyasgun @dsimansk