added PodSecurityContext #2174
added PodSecurityContext #2174
Conversation
|
Hi @Sanket-0510. Thanks for your PR. I'm waiting for a knative member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
knative-prow
bot
added
size/M
matejvasek
requested review from
a team and
lkingland
and removed request for
maximilien and
jrangelramos
|
I am grateful for this contribution. |
|
This Pull Request is stale because it has been open for 90 days with |
github-actions
bot
added
the
lifecycle/stale
|
This PR is in the right ballpark. Can we get the code formatted with |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Sanket-0510 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
lkingland
removed
the
lifecycle/stale
|
Hey @lkingland I will do the needed and we can discuss it further |
Sanket-0510
force-pushed
the
PodSecurityContext
branch
from
ee1f802 to
f56dce1
Compare
|
hey sorry for the delay in response but I have formatted the code and pushed the changes |
There was a problem hiding this comment.
Thanks for coming back to help finish.
For the Unit tests to pass, I think all that needs to be done here is to remove the extraneous whitespace, and run $ make to get a regenerated schema yaml.
However, I looked into the error from the validator says it disallows setting the pod security context.
The security context may need to be set at the container level instead. We can confirm with the Knative Serving folks on Slack, but it would effectively be this:
spec:
template:
spec:
containers:
- image: my-image
securityContext: # This is correct - at container level
runAsUser: 1000
allowPrivilegeEscalation: false| @@ -168,6 +168,8 @@ type RunSpec struct { | |||
| // Env variables to be set | |||
| Envs Envs `yaml:"envs,omitempty"` | |||
|
|
|||
| // PodSecurityContext to be set for read and write permission | |||
| PodSecurityContext PodSecurityContext `yaml:"podSecurityContext, omitempty"` | |||
There was a problem hiding this comment.
You can remove the extraneous space prepended to "omitempty" here
| @@ -0,0 +1,8 @@ | |||
| package functions | |||
|
|
|||
| type PodSecurityContext struct { | |||
There was a problem hiding this comment.
We should confirm with the Serving team, but this may need to be renamed SecurityContext and set at the Container level in the Knative Deployer in order to clear up the validation webhook error.
Changes
Schema for PodSecurityContext so that users can define fields like
fsGroup/kind Enhancement
Fixes #2108