[BugFix]Allow ImageVolume for Restricted PSA profiles #130394
Conversation
|
This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Hi @Barakmor1. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
There was a problem hiding this comment.
Thanks for the fix, this looks reasonable to me
Please add to the TestRestrictedVolumes unit test to exercise this case
I think this should merge before the ImageVolume feature is promoted to beta (xref #130135 (comment))
staging/src/k8s.io/pod-security-admission/policy/check_restrictedVolumes.go
Outdated
Show resolved
Hide resolved
|
Stop referring to ImageVolume as an unknown type during pod security admission validation. Avoid restricting ImageVolume for the Restricted profile, as users who can create a pod with a certain image should also be able to use ImageVolume with an image. Signed-off-by: bmordeha <bmordeha@redhat.com>
|
thanks for the link there as well... for the folks driving the promotion to beta, please ensure these updates get reflected back in the list of updates for the KEP / feature, and that there is test coverage added to exercise those gaps |
Done |
|
/kind bug |
|
LGTM label has been added. Git tree hash: c5129d5014ad2c405161839972f03625132c5c21
|
|
Can we back-port this? |
|
No, only security fixes, dataloss fixes, and regression fixes are backported. Specifically, bugfixes for alpha off-by-default features are not eligible for backport. See https://github.com/kubernetes/community/blob/master/contributors/devel/sig-release/cherry-picks.md#what-kind-of-prs-are-good-for-cherry-picks for details |
This essentially means that we might not be able to use or test this feature in KubeVirt unless the Kubernetes version is higher than 1.32, even if it's protected by a feature gate on our side :\ |
you can, you just need to opt the test namespace into baseline PSA mode or higher until getting this fix in 1.33 |
In KubeVirt, the requirements for new features are a bit different. I'm not sure if this limitation will be accepted, but I'll look into it. Thanks for the info! :) |
|
FYI @vladikr |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Barakmor1, liggitt, saschagrunert The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Stop referring to ImageVolume as an unknown type during pod security admission validation. Avoid restricting ImageVolume for the Restricted profile, as users who can create a pod with a certain image should also be able to use ImageVolume with an image.
What type of PR is this?
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: