Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] OCPBUGS-31353: Minimize wildcard privileges for CRDs and namespaces #1170

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[WIP] OCPBUGS-31353: Minimize wildcard privileges for CRDs and namespaces #1170

wants to merge 1 commit into from

Conversation

alebedev87
Copy link
Contributor

@alebedev87 alebedev87 commented Nov 26, 2024
edited
Loading

  • Scoped namespace permissions to read-only to enable informer watches.
  • Restricted wildcard namespace permissions exclusively to operand namespaces (routers and canary).
  • Scoped CRD permissions to read-only to enable informer watches.
  • Restricted wildcard CRD permissions exclusively to Gateway API.

@openshift-ci-robot openshift-ci-robot added jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Nov 26, 2024
@openshift-ci-robot
Copy link
Contributor

@alebedev87: This pull request references Jira Issue OCPBUGS-31353, which is invalid:

  • expected the bug to target the "4.19.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

  • Restricted CRD permissions exclusively to Gateway API.
  • Restricted namespace permissions exclusively to operand namespaces (routers and canary).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Nov 26, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from alebedev87. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@alebedev87
Copy link
Contributor Author

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Nov 26, 2024
@openshift-ci-robot
Copy link
Contributor

@alebedev87: This pull request references Jira Issue OCPBUGS-31353, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.19.0) matches configured target version for branch (4.19.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @lihongan

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested a review from lihongan November 26, 2024 12:43
@openshift-ci-robot
Copy link
Contributor

@alebedev87: This pull request references Jira Issue OCPBUGS-31353, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.19.0) matches configured target version for branch (4.19.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @lihongan

In response to this:

  • Restricted namespace permissions exclusively to operand namespaces (routers and canary).
  • Scoped CRD permissions to readonly to enable infromer watches.
  • Restricted wildcard CRD permissions exclusively to Gateway API.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@alebedev87
OCPBUGS-31353: Minimize wildcard privileges for CRDs and namespaces
d3f57f2 
- Scoped namespace permissions to read-only to enable informer watches.
- Restricted wildcard namespace permissions exclusively to operand namespaces (routers and canary).
- Scoped CRD permissions to read-only to enable informer watches.
- Restricted wildcard CRD permissions exclusively to Gateway API.
@alebedev87 alebedev87 changed the title OCPBUGS-31353: Minimize wildcard privileges for CRDs and namespaces [WIP] OCPBUGS-31353: Minimize wildcard privileges for CRDs and namespaces Nov 26, 2024
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 26, 2024
@openshift-ci-robot
Copy link
Contributor

@alebedev87: This pull request references Jira Issue OCPBUGS-31353, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.19.0) matches configured target version for branch (4.19.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @lihongan

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

  • Scoped namespace permissions to read-only to enable informer watches.
  • Restricted wildcard namespace permissions exclusively to operand namespaces (routers and canary).
  • Scoped CRD permissions to read-only to enable informer watches.
  • Restricted wildcard CRD permissions exclusively to Gateway API.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@melvinjoseph86
Copy link

/retest-required

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Nov 27, 2024

@alebedev87: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-azure-ovn d3f57f2 link false /test e2e-azure-ovn
ci/prow/e2e-azure-operator d3f57f2 link true /test e2e-azure-operator
ci/prow/e2e-aws-operator d3f57f2 link true /test e2e-aws-operator
ci/prow/e2e-gcp-ovn d3f57f2 link false /test e2e-gcp-ovn
ci/prow/e2e-aws-operator-techpreview d3f57f2 link false /test e2e-aws-operator-techpreview
ci/prow/e2e-aws-ovn-serial d3f57f2 link true /test e2e-aws-ovn-serial
ci/prow/e2e-aws-ovn-techpreview d3f57f2 link false /test e2e-aws-ovn-techpreview
ci/prow/e2e-aws-ovn d3f57f2 link true /test e2e-aws-ovn
ci/prow/e2e-aws-ovn-single-node d3f57f2 link false /test e2e-aws-ovn-single-node
ci/prow/e2e-aws-gatewayapi d3f57f2 link false /test e2e-aws-gatewayapi
ci/prow/e2e-gcp-operator d3f57f2 link true /test e2e-gcp-operator
ci/prow/okd-scos-e2e-aws-ovn d3f57f2 link false /test okd-scos-e2e-aws-ovn

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knobunc knobunc Awaiting requested review from knobunc

@Thealisyed Thealisyed Awaiting requested review from Thealisyed

@lihongan lihongan Awaiting requested review from lihongan

Assignees
No one assigned
Labels
do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@alebedev87 @openshift-ci-robot @melvinjoseph86