AWS kube-up: Remove SecurityContextDeny admission controller (to mirror GCE) #25381
Conversation
|
Can one of the admins verify that this patch is reasonable to test? If so, please reply "ok to test". This message may repeat a few times in short succession due to jenkinsci/ghprb-plugin#292. Sorry. Otherwise, if this message is too spammy, please complain to ixdy. |
2 similar comments
|
Can one of the admins verify that this patch is reasonable to test? If so, please reply "ok to test". This message may repeat a few times in short succession due to jenkinsci/ghprb-plugin#292. Sorry. Otherwise, if this message is too spammy, please complain to ixdy. |
|
Can one of the admins verify that this patch is reasonable to test? If so, please reply "ok to test". This message may repeat a few times in short succession due to jenkinsci/ghprb-plugin#292. Sorry. Otherwise, if this message is too spammy, please complain to ixdy. |
k8s-github-robot
added
size/XS
k8s-github-robot
added
size/S
|
LGTM. Tests are now passing on my AWS cluster when I set |
|
@earlruby thanks for testing. =) |
|
So the SecurityContextDeny admission controller has been there "forever". But it is not present on GCE. It was removed in #16986 and #21004. I think we should just remove it on AWS also (no env var needed). @ArtfulCoder from the PRs you seem to understand exactly what's going on here vs allow-privileged - can you comment on whether we should just remove SecurityContextDeny on AWS? |
|
ok to test |
|
The author of this PR is not in the whitelist for merge, can one of the admins add the 'ok-to-merge' label? |
|
I think we should keep this as an ENV var so that we can support AMI's with SELinux enabled. I pulled this logic from the local-up scripts, and I think the experience should be similar. If we remove it, then later it will need to be added back anyways to allow for SELinux based testing. |
|
Just checking in, whats the status? |
justinsb
added
the
priority/important-soon
|
@zquestz it's a good fix (thanks!), and I want to get it merged so our test results are clean again. We have to figure out whether there's any reason to make it optional (and then, if so, how to control the options - e.g. are we going to have individual env vars for each admission controller?) |
|
I just made it option like the local up script, that way the experience is consistent. If we want to remove it, and not make it optional, then that should be done for all scripts for consistency. |
|
@zquestz This PR has the v1.3 milestone tag applied, but hasn't been touched in a week or more. We will cut Beta and branch on June 10. Please either close, finish off, get an LGTM or rebase this as needed to make sure it makes its way into 1.3. |
|
So this is done and I was just waiting on feedback on whether you want it as an option like in the local up scripts, or just remove SecurityContextDeny completely from the AWS configuration. Once I have a clear answer I am happy to make changes if needed. |
|
@justinsb sounds like a question for you. |
|
@zquestz can we just remove it entirely from the AWS configuration? That brings us closer to GCE. If GCE makes it optional, we can use the same name. We have enough additional complexity in AWS without adding another dimension :-) |
|
@justinsb I will made the changes now. |
|
@justinsb I have amended the PR. Now I just remove SecurityContextDeny like GCE. |
k8s-github-robot
removed
the
size/S
k8s-github-robot
added
the
size/XS
justinsb
changed the title
justinsb
added
lgtm
|
LGTM - thanks :-) |
|
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
|
GCE e2e build/test passed for commit 07f8d02. |
|
Automatic merge from submit-queue |
This PR allows the user to tune the ADMISSION_CONTROL options for AWS environments (much like local-up-cluser.sh). The main impetus is to allow users to exclude the SecurityContextDeny admission controller which causes e2e AWS based tests to fail with
pod.Spec.SecurityContext.SELinuxOptions is forbidden.Now AWS e2e tests are happy and can actually go green.