Comments (4)
@sebrandon1 , as discussed in #548, I think we don't need to change anything in the debug daemonset specification, after testing in OCP 4.12. It's just a matter of adding these two labels to default namespace (where debug daemonset is deployed):
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/enforce-version: latest
However, as discussed in the PR, I feel that, maybe, it is too extreme to set such privileges in default namespace, which can be used by other workloads, utilities, etc. Having said that, would it be a problem if debug daemonset is deployed in a specific namespace rather than in default namespace? Just to isolate the permissions we give to specific namespaces.
Then, second question I have: can it be included, in the README, this particularity about labelling the namespace where debug daemonset is deployed when working in OCP 4.12? Or should we wait until OCP 4.12 is finally released?
from cnf-certification-test.
@ramperher If I push up a branch, can you point to it and test?
from cnf-certification-test.
@ramperher If I push up a branch, can you point to it and test?
Sure, I can give a try in an OCP 4.12 cluster :) I'll take a look!
from cnf-certification-test.
I believe this change covers the security policies needed for the daemonset:
test-network-function/privileged-daemonset#52
We can close this until we it any more (if any) problems.
from cnf-certification-test.
Related Issues (20)
- Improvement scope
- Stuck in loop checking CPU scheduling classification when trying to run performance suite. HOT 5
- Test suite execution for v4.2.3 and v4.2.4 fails due to not parsing the config properly HOT 2
- Unable to test CRD's HOT 6
- Autodiscover fails to detect Operator pods HOT 1
- observability-pod-disruption-budget is listed as "Mandatory" in CATALOG.md but is skipped when ran. HOT 1
- lifecycle-cpu-isolation and lifecycle-affinity-required-pods don't appear to be matching pods HOT 16
- Upstream OVN renamed "k8s.ovn.org/host-addresses" to "k8s.ovn.org/host-cidrs" HOT 1
- Catalog.md should indicate which test falls under "extended test cases"
- [OCP 4.12] platform-alteration-tainted-node-kernel test is always failing HOT 5
- DeploymentConfig must be considered in deployment-scaling and pod-owner-type tests. HOT 5
- networking-iptables test failing in OCP 4.12 HOT 2
- Node Taints such as "NoSchedule" causes the debug daemonset to not be deployed HOT 5
- Testing of PodDisruptionBudgets makes tnf not working with OCP <= 4.7.x HOT 4
- Potentially uncordon nodes prior to starting pod-recreation tests HOT 3
- platform-alteration-base-image test not working in latest OCP 4.12 (previously, also in OCP 4.13, but now it's working) HOT 2
- Bug in v4.1.4 tnf version and tnfGitCommit in claim.json HOT 1
- Nodes using latest OCP 4.13 (and 4.14) are based on CentOS Stream CoreOS, so that platform-alteration-ocp-node-os-lifecycle fails HOT 2
- platform-alteration-ocp-node-os-lifecycle test fails if OCP RC versions are detected HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cnf-certification-test.