Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Move invalid pod security context fields in helm chart to container security context #83

Merged
merged 2 commits into from
Aug 19, 2020

Conversation

cezarsa
Copy link
Contributor

@cezarsa cezarsa commented Aug 18, 2020

The privileged and readOnlyRootFilesystem fields recently added to the Helm chart are not valid in the pod's security context and can only be used in the container's security context. Trying to apply the generated resource would cause the error:

error validating data: [ValidationError(Deployment.spec.template.spec.securityContext): unknown field "privileged" in io.k8s.api.core.v1.PodSecurityContext, ValidationError(Deployment.spec.template.spec.securityContext): unknown field "readOnlyRootFilesystem" in io.k8s.api.core.v1.PodSecurityContext]; if you choose to ignore these errors, turn validation off with --validate=false

This PR creates a new section in the helm values for container specific security context flags. It also includes a new CI job to validate helm generated resources to help prevent this kind of error in the future.

The `privileged` and `readOnlyRootFilesystem` fields are not valid in
the pod's security context and can only be used in the container's
security context. Trying to apply the generated resource would cause the
error:

```
error validating data: [ValidationError(Deployment.spec.template.spec.securityContext): unknown field "privileged" in io.k8s.api.core.v1.PodSecurityContext, ValidationError(Deployment.spec.template.spec.securityContext): unknown field "readOnlyRootFilesystem" in io.k8s.api.core.v1.PodSecurityContext]; if you choose to ignore these errors, turn validation off with --validate=false
```
@codecov
Copy link

codecov bot commented Aug 18, 2020

Codecov Report

Merging #83 into master will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##           master      #83   +/-   ##
=======================================
  Coverage   69.84%   69.84%           
=======================================
  Files           7        7           
  Lines         461      461           
=======================================
  Hits          322      322           
  Misses        130      130           
  Partials        9        9           

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f32fd0b...a822269. Read the comment docs.

@jacobstr
Copy link
Contributor

Thanks for this @cezarsa !

@jacobstr jacobstr merged commit 14fd977 into planetlabs:master Aug 19, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants