From ad8f18e1c37ebff664c531aa00118812d6413f86 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Doktor?= Date: Mon, 17 Jul 2023 15:28:56 +0200 Subject: [PATCH 1/5] ci/openshift-ci: Fix the smoke_test permissions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Modify the smoke_test container securityContext to work well with OCP 4.14. Fixes: #5671 Signed-off-by: Lukáš Doktor --- .ci/openshift-ci/smoke/http-server.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.ci/openshift-ci/smoke/http-server.yaml b/.ci/openshift-ci/smoke/http-server.yaml index b10b82ff5..ce73ad9ff 100644 --- a/.ci/openshift-ci/smoke/http-server.yaml +++ b/.ci/openshift-ci/smoke/http-server.yaml @@ -18,4 +18,13 @@ spec: - containerPort: 8080 command: ["python3"] args: [ "-m", "http.server", "8080"] + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault runtimeClassName: kata-qemu From 21f3a897e4e81d460c33aed05a601fa5df3d260a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Doktor?= Date: Mon, 24 Jul 2023 14:45:04 +0200 Subject: [PATCH 2/5] kata-webhook: Fix the webhook's pods permissions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Newer ocp by default requires running as user with certain capabilities dropped. Fixes: #5671 Signed-off-by: Lukáš Doktor --- kata-webhook/deploy/webhook.yaml | 9 +++++++++ kata-webhook/webhook-check.sh | 9 +++++++++ 2 files changed, 18 insertions(+) diff --git a/kata-webhook/deploy/webhook.yaml b/kata-webhook/deploy/webhook.yaml index c54b4bc90..07e8a57a2 100644 --- a/kata-webhook/deploy/webhook.yaml +++ b/kata-webhook/deploy/webhook.yaml @@ -41,6 +41,15 @@ spec: requests: cpu: "100m" memory: "250Mi" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault volumes: - name: webhook-certs secret: diff --git a/kata-webhook/webhook-check.sh b/kata-webhook/webhook-check.sh index c5b05feac..2341442ff 100755 --- a/kata-webhook/webhook-check.sh +++ b/kata-webhook/webhook-check.sh @@ -57,6 +57,15 @@ check_working() { image: quay.io/prometheus/busybox:latest command: ["echo", "Hello Webhook"] imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault EOF local class_name=$(kubectl get -n ${WEBHOOK_NS} \ -o jsonpath='{.spec.runtimeClassName}' pod/${hello_pod}) From d32ca2d717c4b40c507070349ae6f5bc9e7c7287 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Doktor?= Date: Mon, 17 Jul 2023 15:34:09 +0200 Subject: [PATCH 3/5] ci: Initialize GOPATH before it's used MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit the GOPATH variable is used by some variables before it gets initialized. Reorder the logic to work properly. Fixes: #5713 Signed-off-by: Lukáš Doktor --- .ci/lib.sh | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.ci/lib.sh b/.ci/lib.sh index 167b4ff2e..7156a3a26 100755 --- a/.ci/lib.sh +++ b/.ci/lib.sh @@ -6,6 +6,14 @@ # SPDX-License-Identifier: Apache-2.0 # +# Ensure GOPATH set +if command -v go > /dev/null; then + export GOPATH=${GOPATH:-$(go env GOPATH)} +else + # if go isn't installed, set default location for GOPATH + export GOPATH="${GOPATH:-$HOME/go}" +fi + export KATA_KSM_THROTTLER=${KATA_KSM_THROTTLER:-no} export KATA_QEMU_DESTDIR=${KATA_QEMU_DESTDIR:-"/usr"} export KATA_ETC_CONFIG_PATH="/etc/kata-containers/configuration.toml" @@ -33,14 +41,6 @@ export KATA_NET_TIMEOUT=30 source /etc/os-release || source /usr/lib/os-release -# Ensure GOPATH set -if command -v go > /dev/null; then - export GOPATH=${GOPATH:-$(go env GOPATH)} -else - # if go isn't installed, set default location for GOPATH - export GOPATH="${GOPATH:-$HOME/go}" -fi - # Support Golang 1.16.x. # By default in Golang >= 1.16 GO111MODULE is set to "on", # some subprojects in this repo may not support "go modules", From ebc660c45b3108d49a53cb2d0f2b8b1a1f9f475b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 31 Jul 2023 09:02:16 +0200 Subject: [PATCH 4/5] release: Kata Containers 3.2.0-alpha4 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - ci: Initialize GOPATH before it's used - ci/openshift-ci: Fix the smoke_test permissions - vfio-ap: Add e2e test for vfio-ap cold-plugin - vfio: Fix default port assignment - license: avoid checking license for *.dtd file - Dict: add pio into Kata CI spelling check - dict: add more words into kata-spell-check - spell: update spelling dictionary - versions: Update sonobuoy to latest v0.56.16 - k8s-conformance: Add support to run tests in parallel - metrics: Fix non valid results on memory usage inside container - run: Bring back k8s tests for dragonball - gpu: Add VRA related words to dictionary - ci/openshift-ci: Port the job to run on OCP 4.14 - tests: Remove a snap test - ci: Switch to http kubernetes mirror - metrics: Update Tensorflow model name - metrics: Update tensorflow Dockerfile - versions: Update xurls version to 2.5.0 - stability: Update stressng dockerfile d32ca2d7 ci: Initialize GOPATH before it's used 21f3a897 kata-webhook: Fix the webhook's pods permissions ad8f18e1 ci/openshift-ci: Fix the smoke_test permissions 6c6397f9 vfio-ap: Add e2e test for vfio-ap cold-plugin 54b5c03e vfio: Fix default port assignment 1f222bca license: avoid checking license for *.dtd file a4f42ff4 Dict: add pio into Kata CI spelling check dbdcc1eb dict: add more words into kata-spell-check 80133177 spell: update spelling dictionary 244e5a1c versions: Update sonobuoy to latest v0.56.16 14ee9639 run: Bring back k8s tests for dragonball 75068056 gpu: Add VRA related words to dictionary 9cefdb38 metrics: Fix non valid results on memory usage inside container 6a127aa7 ci/openshift-ci: Remove ocp 4.10 support 735c4808 ci/openshift-ci: Port the job to run on OCP 4.14 b682f059 tests: Remove a snap test 977eaf71 ci: Switch to http kubernetes mirror 5fad1046 metrics: Update Tensorflow model name 98cf5b97 k8s-conformance: Add support to run tests in parallel d7b8c0b0 versions: Update sonobuoy to latest v0.56.16 a403e6ec e2e_conformance: Add support for runtime class cb6f8cda kata-webhook: Cleanup kata-webhook deployment 53b9302c kata-webhook: Skip mutating sonobuoy pods 16f551cc kata-webhook-docs: Fix outdated script names 2e4a7eb9 metrics: Update tensorflow Dockerfile 101ae848 versions: Update xurls version to 2.5.0 cd4cfd8c stability: Update stressng dockerfile Signed-off-by: Fabiano Fidêncio --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index bb48c8b0a..ed590bd2a 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -3.2.0-alpha3 +3.2.0-alpha4 From 669964a746a2aa4a6f883e2c36e8e1e93ac3a1e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 2 Aug 2023 16:59:52 +0200 Subject: [PATCH 5/5] release: Kata Containers 3.2.0-rc0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Version bump no changes Signed-off-by: Fabiano Fidêncio --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index ed590bd2a..2f290ae1b 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -3.2.0-alpha4 +3.2.0-rc0