Create database copy in tmp directory#974
Merged
perdasilva merged 1 commit intooperator-framework:masterfrom Jun 23, 2022
Merged
Create database copy in tmp directory#974perdasilva merged 1 commit intooperator-framework:masterfrom
perdasilva merged 1 commit intooperator-framework:masterfrom
Conversation
Signed-off-by: perdasilva <[email protected]>
Codecov Report
@@ Coverage Diff @@
## master #974 +/- ##
=======================================
Coverage 52.48% 52.48%
=======================================
Files 103 103
Lines 9240 9240
=======================================
Hits 4850 4850
Misses 3468 3468
Partials 922 922 Continue to review full report at Codecov.
|
perdasilva
added
the
approved
Contributor
|
[APPROVALNOTIFIER] This PR is APPROVED Approval requirements bypassed by manually added approval. This pull-request has been approved by: perdasilva The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
anik120
added a commit
to anik120/operator-lifecycle-manager
that referenced
this pull request
Aug 24, 2022
This PR exposes a spec.runAsRoot field, so that cluster admins can indicate that they want to run the catalogsource container as root user. This, along with the Pod Admission Controller enforce level `privileged` allows cluster admins to run catalogsources that are built with a version of opm that is less than v1.23.2 (i.e a version of opm that does not contain [this commit](operator-framework/operator-registry#974)
11 tasks
anik120
added a commit
to anik120/api
that referenced
this pull request
Aug 25, 2022
With the [change](operator-framework/operator-registry#974) in opm being copied to a /tmp folder rather than / (root), a registry pod created in a namespace labled enforce:restricted for the Pod Security Admission controller is created by the catalog operator with the (appropriate securityContext details) https://github.com/operator-framework/operator-lifecycle-manager/pull/2820/files#diff-fffdeef1fc140a5dc5dc92dda323f567a6e46fc2ecbb0b91ba907acd02bde50dR185-R210 to run it in restricted mode. However, Catalogs built with a version of opm that does not contain the above change still needs privileged permission to run in a namespace that has to be labeled as enforce:privileged for the PSA controller. This PR introduces a new field, spec.runAsRoot, so that admins can indiciate their intent to allow to run the old CatalogSource in a privileged mode. When the catalog operator sees this field set to true, it will not set the securityContext in the registry pod to `runAsNonRoot:true`. Instead, it will set the securityContext to `runAsNonRoot:false`.
anik120
added a commit
to anik120/operator-lifecycle-manager
that referenced
this pull request
Aug 25, 2022
This PR exposes a spec.runAsRoot field, so that cluster admins can indicate that they want to run the catalogsource container as root user. This, along with the Pod Admission Controller enforce level `privileged` allows cluster admins to run catalogsources that are built with a version of opm that is less than v1.23.2 (i.e a version of opm that does not contain [this commit](operator-framework/operator-registry#974) Signed-off-by: Anik Bhattacharjee <[email protected]>
anik120
added a commit
to anik120/api
that referenced
this pull request
Aug 25, 2022
With the [change](operator-framework/operator-registry#974) in opm being copied to a /tmp folder rather than / (root), a registry pod created in a namespace labled enforce:restricted for the Pod Security Admission controller is created by the catalog operator with the (appropriate securityContext details) https://github.com/operator-framework/operator-lifecycle-manager/pull/2820/files#diff-fffdeef1fc140a5dc5dc92dda323f567a6e46fc2ecbb0b91ba907acd02bde50dR185-R210 to run it in restricted mode. However, Catalogs built with a version of opm that does not contain the above change still needs privileged permission to run in a namespace that has to be labeled as enforce:privileged for the PSA controller. This PR introduces a new field, spec.runAsRoot, so that admins can indiciate their intent to allow to run the old CatalogSource in a privileged mode. When the catalog operator sees this field set to true, it will not set the securityContext in the registry pod to `runAsNonRoot:true`. Instead, it will set the securityContext to `runAsNonRoot:false`.
anik120
added a commit
to anik120/api
that referenced
this pull request
Aug 25, 2022
With the [change](operator-framework/operator-registry#974) in opm being copied to a /tmp folder rather than / (root), a registry pod created in a namespace labled enforce:restricted for the Pod Security Admission controller is created by the catalog operator with the (appropriate securityContext details) https://github.com/operator-framework/operator-lifecycle-manager/pull/2820/files#diff-fffdeef1fc140a5dc5dc92dda323f567a6e46fc2ecbb0b91ba907acd02bde50dR185-R210 to run it in restricted mode. However, Catalogs built with a version of opm that does not contain the above change still needs privileged permission to run in a namespace that has to be labeled as enforce:privileged for the PSA controller. This PR introduces a new field, spec.runAsRoot, so that admins can indiciate their intent to allow to run the old CatalogSource in a privileged mode. When the catalog operator sees this field set to true, it will not set the securityContext in the registry pod to `runAsNonRoot:true`. Instead, it will set the securityContext to `runAsNonRoot:false`.
anik120
added a commit
to anik120/api
that referenced
this pull request
Aug 25, 2022
With the [change](operator-framework/operator-registry#974) in opm being copied to a /tmp folder rather than / (root), a registry pod created in a namespace labled enforce:restricted for the Pod Security Admission controller is created by the catalog operator with the (appropriate securityContext details) https://github.com/operator-framework/operator-lifecycle-manager/pull/2820/files#diff-fffdeef1fc140a5dc5dc92dda323f567a6e46fc2ecbb0b91ba907acd02bde50dR185-R210 to run it in restricted mode. However, Catalogs built with a version of opm that does not contain the above change still needs privileged permission to run in a namespace that has to be labeled as enforce:privileged for the PSA controller. This PR introduces a new field, spec.runAsRoot, so that admins can indiciate their intent to allow to run the old CatalogSource in a privileged mode. When the catalog operator sees this field set to true, it will not set the securityContext in the registry pod to `runAsNonRoot:true`. Instead, it will set the securityContext to `runAsNonRoot:false`.
11 tasks
anik120
added a commit
to anik120/operator-lifecycle-manager
that referenced
this pull request
Aug 26, 2022
This PR exposes a spec.runAsRoot field, so that cluster admins can indicate that they want to run the catalogsource container as root user. This, along with the Pod Admission Controller enforce level `privileged` allows cluster admins to run catalogsources that are built with a version of opm that is less than v1.23.2 (i.e a version of opm that does not contain [this commit](operator-framework/operator-registry#974) Signed-off-by: Anik Bhattacharjee <[email protected]>
anik120
added a commit
to anik120/operator-lifecycle-manager
that referenced
this pull request
Aug 29, 2022
This PR exposes a spec.runAsRoot field, so that cluster admins can indicate that they want to run the catalogsource container as root user. This, along with the Pod Admission Controller enforce level `privileged` allows cluster admins to run catalogsources that are built with a version of opm that is less than v1.23.2 (i.e a version of opm that does not contain [this commit](operator-framework/operator-registry#974) Signed-off-by: Anik Bhattacharjee <[email protected]>
anik120
added a commit
to anik120/operator-lifecycle-manager
that referenced
this pull request
Aug 29, 2022
This PR exposes a spec.runAsRoot field, so that cluster admins can indicate that they want to run the catalogsource container as root user. This, along with the Pod Admission Controller enforce level `privileged` allows cluster admins to run catalogsources that are built with a version of opm that is less than v1.23.2 (i.e a version of opm that does not contain [this commit](operator-framework/operator-registry#974) Signed-off-by: Anik Bhattacharjee <[email protected]>
anik120
added a commit
to anik120/operator-lifecycle-manager
that referenced
this pull request
Aug 29, 2022
This PR exposes a spec.runAsRoot field, so that cluster admins can indicate that they want to run the catalogsource container as root user. This, along with the Pod Admission Controller enforce level `privileged` allows cluster admins to run catalogsources that are built with a version of opm that is less than v1.23.2 (i.e a version of opm that does not contain [this commit](operator-framework/operator-registry#974) Signed-off-by: Anik Bhattacharjee <[email protected]>
anik120
added a commit
to anik120/operator-lifecycle-manager
that referenced
this pull request
Sep 1, 2022
This PR exposes a spec.runAsRoot field, so that cluster admins can indicate that they want to run the catalogsource container as root user. This, along with the Pod Admission Controller enforce level `privileged` allows cluster admins to run catalogsources that are built with a version of opm that is less than v1.23.2 (i.e a version of opm that does not contain [this commit](operator-framework/operator-registry#974) Signed-off-by: Anik Bhattacharjee <[email protected]>
anik120
added a commit
to anik120/operator-lifecycle-manager
that referenced
this pull request
Sep 6, 2022
This PR exposes a spec.runAsRoot field, so that cluster admins can indicate that they want to run the catalogsource container as root user. This, along with the Pod Admission Controller enforce level `privileged` allows cluster admins to run catalogsources that are built with a version of opm that is less than v1.23.2 (i.e a version of opm that does not contain [this commit](operator-framework/operator-registry#974) Signed-off-by: Anik Bhattacharjee <[email protected]>
anik120
added a commit
to anik120/operator-lifecycle-manager
that referenced
this pull request
Sep 6, 2022
This PR exposes a spec.runAsRoot field, so that cluster admins can indicate that they want to run the catalogsource container as root user. This, along with the Pod Admission Controller enforce level `privileged` allows cluster admins to run catalogsources that are built with a version of opm that is less than v1.23.2 (i.e a version of opm that does not contain [this commit](operator-framework/operator-registry#974) Signed-off-by: Anik Bhattacharjee <[email protected]>
anik120
added a commit
to anik120/operator-lifecycle-manager
that referenced
this pull request
Sep 8, 2022
This PR exposes a spec.runAsRoot field, so that cluster admins can indicate that they want to run the catalogsource container as root user. This, along with the Pod Admission Controller enforce level `privileged` allows cluster admins to run catalogsources that are built with a version of opm that is less than v1.23.2 (i.e a version of opm that does not contain [this commit](operator-framework/operator-registry#974) Signed-off-by: Anik Bhattacharjee <[email protected]>
anik120
added a commit
to anik120/operator-lifecycle-manager
that referenced
this pull request
Sep 9, 2022
This PR exposes a spec.runAsRoot field, so that cluster admins can indicate that they want to run the catalogsource container as root user. This, along with the Pod Admission Controller enforce level `privileged` allows cluster admins to run catalogsources that are built with a version of opm that is less than v1.23.2 (i.e a version of opm that does not contain [this commit](operator-framework/operator-registry#974) Signed-off-by: Anik Bhattacharjee <[email protected]>
anik120
added a commit
to anik120/operator-lifecycle-manager
that referenced
this pull request
Sep 9, 2022
This PR exposes a spec.runAsRoot field, so that cluster admins can indicate that they want to run the catalogsource container as root user. This, along with the Pod Admission Controller enforce level `privileged` allows cluster admins to run catalogsources that are built with a version of opm that is less than v1.23.2 (i.e a version of opm that does not contain [this commit](operator-framework/operator-registry#974) Signed-off-by: Anik Bhattacharjee <[email protected]>
anik120
added a commit
to anik120/operator-lifecycle-manager
that referenced
this pull request
Sep 12, 2022
This PR exposes a spec.runAsRoot field, so that cluster admins can indicate that they want to run the catalogsource container as root user. This, along with the Pod Admission Controller enforce level `privileged` allows cluster admins to run catalogsources that are built with a version of opm that is less than v1.23.2 (i.e a version of opm that does not contain [this commit](operator-framework/operator-registry#974) Signed-off-by: Anik Bhattacharjee <[email protected]>
anik120
added a commit
to anik120/operator-lifecycle-manager
that referenced
this pull request
Sep 13, 2022
This PR exposes a spec.runAsRoot field, so that cluster admins can indicate that they want to run the catalogsource container as root user. This, along with the Pod Admission Controller enforce level `privileged` allows cluster admins to run catalogsources that are built with a version of opm that is less than v1.23.2 (i.e a version of opm that does not contain [this commit](operator-framework/operator-registry#974) Signed-off-by: Anik Bhattacharjee <[email protected]>
anik120
added a commit
to anik120/operator-lifecycle-manager
that referenced
this pull request
Sep 13, 2022
This PR configures the Catalogsource reconciler to use the spec.GrpcPodConfig.SecurityContextConfig field to determine if the pod.spec.securityContext and container[*].spec.SecurityContext for the registry pod should be configured to be runnable in a PSA restrcited namespace or not, so that cluster admins can indicate that they want to run legacy catalogsources in a non-resctricted (baseline/privileged) namespace. This allows cluster admins to run catalogsources that are built with a version of opm that is less than v1.23.2 (i.e a version of opm that does not contain [this commit](operator-framework/operator-registry#974) Signed-off-by: Anik Bhattacharjee <[email protected]>
anik120
added a commit
to anik120/operator-lifecycle-manager
that referenced
this pull request
Sep 13, 2022
This PR configures the Catalogsource reconciler to use the spec.GrpcPodConfig.SecurityContextConfig field to determine if the pod.spec.securityContext and container[*].spec.SecurityContext for the registry pod should be configured to be runnable in a PSA restrcited namespace or not, so that cluster admins can indicate that they want to run legacy catalogsources in a non-resctricted (baseline/privileged) namespace. This allows cluster admins to run catalogsources that are built with a version of opm that is less than v1.23.2 (i.e a version of opm that does not contain [this commit](operator-framework/operator-registry#974) Signed-off-by: Anik Bhattacharjee <[email protected]>
anik120
added a commit
to anik120/operator-lifecycle-manager
that referenced
this pull request
Sep 13, 2022
This PR configures the Catalogsource reconciler to use the spec.GrpcPodConfig.SecurityContextConfig field to determine if the pod.spec.securityContext and container[*].spec.SecurityContext for the registry pod should be configured to be runnable in a PSA restrcited namespace or not, so that cluster admins can indicate that they want to run legacy catalogsources in a non-resctricted (baseline/privileged) namespace. This allows cluster admins to run catalogsources that are built with a version of opm that is less than v1.23.2 (i.e a version of opm that does not contain [this commit](operator-framework/operator-registry#974) Signed-off-by: Anik Bhattacharjee <[email protected]>
anik120
added a commit
to anik120/operator-lifecycle-manager
that referenced
this pull request
Sep 13, 2022
This PR configures the Catalogsource reconciler to use the spec.GrpcPodConfig.SecurityContextConfig field to determine if the pod.spec.securityContext and container[*].spec.SecurityContext for the registry pod should be configured to be runnable in a PSA restrcited namespace or not, so that cluster admins can indicate that they want to run legacy catalogsources in a non-resctricted (baseline/privileged) namespace. This allows cluster admins to run catalogsources that are built with a version of opm that is less than v1.23.2 (i.e a version of opm that does not contain [this commit](operator-framework/operator-registry#974) Signed-off-by: Anik Bhattacharjee <[email protected]>
anik120
added a commit
to anik120/operator-lifecycle-manager
that referenced
this pull request
Sep 14, 2022
This PR configures the Catalogsource reconciler to use the spec.GrpcPodConfig.SecurityContextConfig field to determine if the pod.spec.securityContext and container[*].spec.SecurityContext for the registry pod should be configured to be runnable in a PSA restrcited namespace or not, so that cluster admins can indicate that they want to run legacy catalogsources in a non-resctricted (baseline/privileged) namespace. This allows cluster admins to run catalogsources that are built with a version of opm that is less than v1.23.2 (i.e a version of opm that does not contain [this commit](operator-framework/operator-registry#974) Signed-off-by: Anik Bhattacharjee <[email protected]>
anik120
added a commit
to anik120/operator-lifecycle-manager
that referenced
this pull request
Sep 14, 2022
This PR configures the Catalogsource reconciler to use the spec.GrpcPodConfig.SecurityContextConfig field to determine if the pod.spec.securityContext and container[*].spec.SecurityContext for the registry pod should be configured to be runnable in a PSA restrcited namespace or not, so that cluster admins can indicate that they want to run legacy catalogsources in a non-resctricted (baseline/privileged) namespace. This allows cluster admins to run catalogsources that are built with a version of opm that is less than v1.23.2 (i.e a version of opm that does not contain [this commit](operator-framework/operator-registry#974) Signed-off-by: Anik Bhattacharjee <[email protected]>
anik120
added a commit
to anik120/operator-lifecycle-manager
that referenced
this pull request
Sep 14, 2022
This PR configures the Catalogsource reconciler to use the spec.GrpcPodConfig.SecurityContextConfig field to determine if the pod.spec.securityContext and container[*].spec.SecurityContext for the registry pod should be configured to be runnable in a PSA restrcited namespace or not, so that cluster admins can indicate that they want to run legacy catalogsources in a non-resctricted (baseline/privileged) namespace. This allows cluster admins to run catalogsources that are built with a version of opm that is less than v1.23.2 (i.e a version of opm that does not contain [this commit](operator-framework/operator-registry#974) Signed-off-by: Anik Bhattacharjee <[email protected]>
openshift-merge-robot
pushed a commit
to operator-framework/operator-lifecycle-manager
that referenced
this pull request
Sep 14, 2022
…2845) * (chore) vendor in o-f/api v0.17.1 Signed-off-by: Anik Bhattacharjee <[email protected]> * (psa) allow legacy Catalogsources to run in non-restrcted namespaces This PR configures the Catalogsource reconciler to use the spec.GrpcPodConfig.SecurityContextConfig field to determine if the pod.spec.securityContext and container[*].spec.SecurityContext for the registry pod should be configured to be runnable in a PSA restrcited namespace or not, so that cluster admins can indicate that they want to run legacy catalogsources in a non-resctricted (baseline/privileged) namespace. This allows cluster admins to run catalogsources that are built with a version of opm that is less than v1.23.2 (i.e a version of opm that does not contain [this commit](operator-framework/operator-registry#974) Signed-off-by: Anik Bhattacharjee <[email protected]> Signed-off-by: Anik Bhattacharjee <[email protected]>
anik120
added a commit
to anik120/operator-framework-olm
that referenced
this pull request
Sep 14, 2022
…(#2845) * (chore) vendor in o-f/api v0.17.1 Signed-off-by: Anik Bhattacharjee <[email protected]> * (psa) allow legacy Catalogsources to run in non-restrcted namespaces This PR configures the Catalogsource reconciler to use the spec.GrpcPodConfig.SecurityContextConfig field to determine if the pod.spec.securityContext and container[*].spec.SecurityContext for the registry pod should be configured to be runnable in a PSA restrcited namespace or not, so that cluster admins can indicate that they want to run legacy catalogsources in a non-resctricted (baseline/privileged) namespace. This allows cluster admins to run catalogsources that are built with a version of opm that is less than v1.23.2 (i.e a version of opm that does not contain [this commit](operator-framework/operator-registry#974) Signed-off-by: Anik Bhattacharjee <[email protected]> Signed-off-by: Anik Bhattacharjee <[email protected]> Upstream-commit: edffd9c83c3065073e5f91ff0d7c7b78a5c77063 Upstream-repository: operator-lifecycle-manager
timflannagan
pushed a commit
to timflannagan/operator-framework-olm
that referenced
this pull request
Sep 15, 2022
…(#2845) * (chore) vendor in o-f/api v0.17.1 Signed-off-by: Anik Bhattacharjee <[email protected]> * (psa) allow legacy Catalogsources to run in non-restrcted namespaces This PR configures the Catalogsource reconciler to use the spec.GrpcPodConfig.SecurityContextConfig field to determine if the pod.spec.securityContext and container[*].spec.SecurityContext for the registry pod should be configured to be runnable in a PSA restrcited namespace or not, so that cluster admins can indicate that they want to run legacy catalogsources in a non-resctricted (baseline/privileged) namespace. This allows cluster admins to run catalogsources that are built with a version of opm that is less than v1.23.2 (i.e a version of opm that does not contain [this commit](operator-framework/operator-registry#974) Signed-off-by: Anik Bhattacharjee <[email protected]> Signed-off-by: Anik Bhattacharjee <[email protected]> Upstream-commit: edffd9c83c3065073e5f91ff0d7c7b78a5c77063 Upstream-repository: operator-lifecycle-manager
anik120
added a commit
to anik120/operator-framework-olm
that referenced
this pull request
Sep 15, 2022
…(#2845) * (chore) vendor in o-f/api v0.17.1 Signed-off-by: Anik Bhattacharjee <[email protected]> * (psa) allow legacy Catalogsources to run in non-restrcted namespaces This PR configures the Catalogsource reconciler to use the spec.GrpcPodConfig.SecurityContextConfig field to determine if the pod.spec.securityContext and container[*].spec.SecurityContext for the registry pod should be configured to be runnable in a PSA restrcited namespace or not, so that cluster admins can indicate that they want to run legacy catalogsources in a non-resctricted (baseline/privileged) namespace. This allows cluster admins to run catalogsources that are built with a version of opm that is less than v1.23.2 (i.e a version of opm that does not contain [this commit](operator-framework/operator-registry#974) Signed-off-by: Anik Bhattacharjee <[email protected]> Signed-off-by: Anik Bhattacharjee <[email protected]> Upstream-commit: edffd9c83c3065073e5f91ff0d7c7b78a5c77063 Upstream-repository: operator-lifecycle-manager
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Signed-off-by: perdasilva [email protected]
Description of the change:
opm registry serve creates a writable copy of the db to a tmp file. This file was being created at the root of the filesystem. This breaks on cluster due to permissions (can't write on /). This change creates the file in the tmp directory to not get caught by fs permissions.
Motivation for the change:
The recent security updates require us to run as non-root rendering '/' read-only. Also it's not good practice to write to the root.
Reviewer Checklist
/docs