Add fsGroup value to admission-webhooks/job-patch charts #8267
Conversation
k8s-ci-robot
added
cncf-cla: no
|
Welcome @dylan-bitovi! |
k8s-ci-robot
added
needs-ok-to-test
|
Hi @dylan-bitovi. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-priority
size/XS
k8s-ci-robot
added
area/helm
|
Fixed my CNCF org CLA signing not being linked, should be set up now! |
|
Fixed the failing test for missing values in |
k8s-ci-robot
added
size/L
k8s-ci-robot
added
size/XS
|
/kind bug Thanks! |
k8s-ci-robot
added
the
ok-to-test
k8s-ci-robot
added
kind/bug
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dylan-bitovi, strongjz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
remove 0.46.0 from supported versions table (kubernetes#8258) Minor fix for missing pathType property (kubernetes#8244) Updated confusing error (kubernetes#8262) Add a certificate info metric (kubernetes#8253) When the ingress controller loads certificates (new ones or following a secret update), it performs a series of check to ensure its validity. In our systems, we detected a case where, when the secret object is compromised, for example when the certificate does not match the secret key, different pods of the ingress controller are serving a different version of the certificate. This behaviour is due to the cache mechanism of the ingress controller, keeping the last known certificate in case of corruption. When this happens, old ingress-controller pods will keep serving the old one, while new pods, by failing to load the corrupted certificates, would use the default certificate, causing invalid certificates for its clients. This generates a random error on the client side, depending on the actual pod instance it reaches. In order to allow detecting occurences of those situations, add a metric to expose, for all ingress controlller pods, detailed informations of the currently loaded certificate. This will, for example, allow setting an alert when there is a certificate discrepency across all ingress controller pods using a query similar to `sum(nginx_ingress_controller_ssl_certificate_info{host="name.tld"})by(serial_number)` This also allows to catch other exceptions loading certificates (failing to load the certificate from the k8s API, ... Co-authored-by: Daniel Ricart <[email protected]> Co-authored-by: Daniel Ricart <[email protected]> Issue#8241 (kubernetes#8273) * replace daemon set for deployment manifest * nit Start Release process for v1.1.2 (kubernetes#8275) Signed-off-by: Jintao Zhang <[email protected]> Add fsGroup value to admission-webhooks/job-patch charts (kubernetes#8267) * added fsGroup to admission createSecret and patchWebhook job * added fsGroup to admission createSecret and patchWebhook job * modified helm/README.md to add value for fsGroup * fixed patch job values ordering * remove manually edited README for replacement with helm-docs generated version * re-adding charts/README.md generated by helm-docs Add OpenSSF Best practices badge (kubernetes#8277) fix: deny locations with invalid auth-url annotation (kubernetes#8256) * fix: deny locations with invalid auth-url annotation Signed-off-by: m.nabokikh <[email protected]> * Delete duplicate test Signed-off-by: m.nabokikh <[email protected]> force prow job by changing something in images/ot dir (kubernetes#8281) Images dir was merged in before the test-infra prow job, so the image was never built. kubernetes#8013 Jan 16 https://github.com/kubernetes/test-infra/pull/25344/files Prow job 4 days ago. Fix OpenTelemetry sidecar image build (kubernetes#8286) * fix wrong checksum for nginx image * fix wrong platform. Arm64 has grpc, when arm doesn't update tag for image (kubernetes#8290) remove git tag env from cloud build the latest git tag is from helm, so force the make file use of TAG ?=v$(shell date +%m%d%Y)-$(shell git rev-parse --short HEAD) release-v1.1.2-continued (kubernetes#8294) * v1.1.2 release Signed-off-by: Jintao Zhang <[email protected]> * release-v1.1.2-continued Co-authored-by: Jintao Zhang <[email protected]> docs: fix changelog formatting (kubernetes#8302) leaving it the git tag (kubernetes#8311) fixing the git tag for the image version, it is what it is . Missing annotations (kubernetes#8288) Not quite sure but It seems that `nginx.ingress.kubernetes.io/canary-by-header` is missing. Names cannot contain _ (underscore)! So I changed it to -. (kubernetes#8300) * The name can't use _(underscore)! So fix it! The name can't use _(underscore)! So fix it! * Fix configMap name can't use _(underscore) Fix configMap name can't use _(underscore) Pinned GitHub workflows by SHA (kubernetes#8334) - Pinned actions by SHA https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies - Included permissions for some of the actions. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions Dependabot can upgrade pinned version of actions. Update monitoring.md (kubernetes#8324) Added missing repo on "helm upgrade" command Add the shareProcessNamespace as a configurable setting. (kubernetes#8287) Nginx v1.19.10 (kubernetes#8307) kubectl code overview info
…8267) * added fsGroup to admission createSecret and patchWebhook job * added fsGroup to admission createSecret and patchWebhook job * modified helm/README.md to add value for fsGroup * fixed patch job values ordering * remove manually edited README for replacement with helm-docs generated version * re-adding charts/README.md generated by helm-docs
Simple feature request update that adds a configurable
fsGroupfield to the patch job invalues.yamland updates the related templates files to contain a reference to this new fsGroup value.What this PR does / why we need it:
We had an issue when migrating from an older version of the deprecated nginxinc ingress controller to the one provided by Kubernetes which was preventing the update of our Kubernetes cluster
The primary problem was when we were deploying our application to AWS EKS, we discovered that our secret tokens lacked permissions to be able to be referenced by the
admission-webhooks/job-patch/{job-createSecret | job-patchWebhook}charts.We found that the issue was by default there is no assigned
gid, or if it was assigned it had a value of0. This issue is discussed here and here as well as a few other threads.Types of changes
Which issue/s this PR fixes
I looked through the open issues and couldn't find anyone else referencing this particular problem other than those error threads previous linked.
How Has This Been Tested?
I've tested the changes in EKS and was able to deploy and configure a Stackstorm instance routed through ingress-nginx. Prior to the changes the ingress controller would not be able to run any pods and would fail with:
I followed the dev-env setup guide and ran the associated dev-environment tests against my repo and was not alerted to any major errors. I will mention that I had run into one error during dev-env testing which was confirmed to be a bug in this slack thread, and this bug exists even without modifying the base repo.
Checklist:
There's one or two things I'm not sure of:
fsGroupshould be set to2000matching theuid, or set to0which would emulate existing deployment functionality. I could see how setting2000could affect pre-existing deployments' behaviour.My use has been pretty minimal; at this time I'm not aware of any other major breaking changes caused by this update.