Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automated backport of #3064: Configure SAs to enforce mountable secrets #3143

Merged
merged 2 commits into from
Jul 9, 2024
Merged

Automated backport of #3064: Configure SAs to enforce mountable secrets #3143

merged 2 commits into from
Jul 9, 2024

Conversation

skitt
Copy link
Member

@skitt skitt commented Jul 1, 2024

Backport of #3064 on release-0.17.

#3064: Configure SAs to enforce mountable secrets

For details on the backport process, see the backport requests page.

@skitt
Configure SAs to enforce mountable secrets
c468b6f 
This prevents accessing arbitrary secrets in pods running with these
SAs. See
https://kubernetes.io/docs/reference/labels-annotations-taints/#enforce-mountable-secrets
for details.

Signed-off-by: Stephen Kitt <skitt@redhat.com>
@submariner-bot
Copy link
Contributor

🤖 Created branch: z_pr3143/skitt/automated-backport-of-#3064-origin-release-0.17
🚀 Full E2E won't run until the "ready-to-test" label is applied. I will add it automatically once the PR has 2 approvals, or you can add it manually.

@skitt skitt marked this pull request as draft July 1, 2024 08:16
@skitt skitt marked this pull request as ready for review July 1, 2024 14:03
@skitt skitt mentioned this pull request Jul 1, 2024
Merged
@skitt
Copy link
Member Author

skitt commented Jul 1, 2024

I’m wary of the upgrade impacts of this change (in particular the renamed broker secret) on upgrades from one patch release to the next — we won’t be able to enforce the use of subctl upgrade in all cases.

@submariner-bot submariner-bot added the ready-to-test When a PR is ready for full E2E testing label Jul 4, 2024
@tpantelis
Copy link
Contributor

I’m wary of the upgrade impacts of this change (in particular the renamed broker secret) on upgrades from one patch release to the next — we won’t be able to enforce the use of subctl upgrade in all cases.

We'd have to backport submariner-io/subctl#1150 as well. This is a breaking change unless subctl upgrade is run so perhaps we shouldn't backport to patch releases.

@tpantelis tpantelis enabled auto-merge (rebase) July 9, 2024 13:47
@tpantelis tpantelis merged commit b957cc9 into submariner-io:release-0.17 Jul 9, 2024
34 of 35 checks passed
@submariner-bot
Copy link
Contributor

🤖 Closed branches: [z_pr3143/skitt/automated-backport-of-#3064-origin-release-0.17]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yboaron yboaron yboaron approved these changes

@tpantelis tpantelis tpantelis approved these changes

@vthapar vthapar vthapar approved these changes

@dfarrell07 dfarrell07 dfarrell07 approved these changes

@Oats87 Oats87 Awaiting requested review from Oats87 Oats87 is a code owner

@sridhargaddam sridhargaddam Awaiting requested review from sridhargaddam sridhargaddam is a code owner

Assignees
No one assigned
Labels
automated-backport ready-to-test When a PR is ready for full E2E testing
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@skitt @submariner-bot @tpantelis @dfarrell07 @vthapar @yboaron