Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add allow_privilege_escalation to container security contexts attributes #249

Merged
merged 3 commits into from
Dec 12, 2018
Merged

Add allow_privilege_escalation to container security contexts attributes #249

merged 3 commits into from
Dec 12, 2018

Conversation

pdecat
Copy link
Contributor

@pdecat pdecat commented Dec 7, 2018
edited
Loading

This adds the following attributes to container security context:

  • allow_privilege_escalation
  • run_as_group (alpha since 1.10)

And those to pod security context:

  • run_as_group (alpha since 1.10)

Re-ordered fields alphabetically to match reference docs:

Added the completely missing Container SecurityContext docs.

Note: this is based on #248 to fix Deployment acceptance tests before any code changes.

TODO:

Resolves #247

@pdecat
Copy link
Contributor Author

pdecat commented Dec 8, 2018

Failing acceptance tests:

# make testacc TEST=./kubernetes TESTARGS='-run=TestAccKubernetes\(Pod\|ReplicationController\|Deployment\).* -count=1'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./kubernetes -v -run=TestAccKubernetes\(Pod\|ReplicationController\|Deployment\).* -count=1 -timeout 120m
=== RUN   TestAccKubernetesDeployment_basic
--- PASS: TestAccKubernetesDeployment_basic (73.70s)
=== RUN   TestAccKubernetesDeployment_initContainer
--- PASS: TestAccKubernetesDeployment_initContainer (123.82s)
=== RUN   TestAccKubernetesDeployment_importBasic
--- PASS: TestAccKubernetesDeployment_importBasic (121.38s)
=== RUN   TestAccKubernetesDeployment_generatedName
--- PASS: TestAccKubernetesDeployment_generatedName (19.61s)
=== RUN   TestAccKubernetesDeployment_importGeneratedName
--- PASS: TestAccKubernetesDeployment_importGeneratedName (48.49s)
=== RUN   TestAccKubernetesDeployment_with_security_context
--- FAIL: TestAccKubernetesDeployment_with_security_context (10.03s)
        testing.go:518: Step 0 error: Check failed: 1 error(s) occurred:

                * Check 3/7 error: kubernetes_deployment.test: Attribute 'spec.0.template.0.spec.0.security_context.0.run_as_group' expected "100", got "0"
=== RUN   TestAccKubernetesDeployment_with_container_liveness_probe_using_exec
--- PASS: TestAccKubernetesDeployment_with_container_liveness_probe_using_exec (9.55s)
=== RUN   TestAccKubernetesDeployment_with_container_liveness_probe_using_http_get
--- PASS: TestAccKubernetesDeployment_with_container_liveness_probe_using_http_get (5.38s)
=== RUN   TestAccKubernetesDeployment_with_container_liveness_probe_using_tcp
--- PASS: TestAccKubernetesDeployment_with_container_liveness_probe_using_tcp (18.33s)
=== RUN   TestAccKubernetesDeployment_with_container_lifecycle
--- PASS: TestAccKubernetesDeployment_with_container_lifecycle (17.87s)
=== RUN   TestAccKubernetesDeployment_with_container_security_context
--- FAIL: TestAccKubernetesDeployment_with_container_security_context (0.97s)
        testing.go:518: Step 0 error: Error applying: 1 error(s) occurred:

                * kubernetes_deployment.test: 1 error(s) occurred:

                * kubernetes_deployment.test: Failed to create deployment: Deployment.apps "tf-acc-test-8h4atqlmt2" is invalid: spec.template.spec.containers[0].securityContext: Invalid
 value: core.SecurityContext{Capabilities:(*core.Capabilities)(nil), Privileged:(*bool)(0xc4399170d9), SELinuxOptions:(*core.SELinuxOptions)(0xc439aa1840), RunAsUser:(*int64)(0xc4399171
00), RunAsGroup:(*int64)(nil), RunAsNonRoot:(*bool)(0xc439917110), ReadOnlyRootFilesystem:(*bool)(0xc439917111), AllowPrivilegeEscalation:(*bool)(0xc439917112)}: cannot set `allowPrivil
egeEscalation` to false and `privileged` to true
=== RUN   TestAccKubernetesDeployment_with_volume_mount
--- PASS: TestAccKubernetesDeployment_with_volume_mount (7.10s)
=== RUN   TestAccKubernetesDeployment_with_resource_requirements
--- PASS: TestAccKubernetesDeployment_with_resource_requirements (5.67s)
=== RUN   TestAccKubernetesDeployment_with_empty_dir_volume
--- PASS: TestAccKubernetesDeployment_with_empty_dir_volume (18.29s)
=== RUN   TestAccKubernetesDeploymentUpdate_basic
--- PASS: TestAccKubernetesDeploymentUpdate_basic (127.45s)
=== RUN   TestAccKubernetesPod_basic
--- PASS: TestAccKubernetesPod_basic (45.64s)
=== RUN   TestAccKubernetesPod_initContainer_updateForcesNew
--- PASS: TestAccKubernetesPod_initContainer_updateForcesNew (48.22s)
=== RUN   TestAccKubernetesPod_updateArgsForceNew
--- PASS: TestAccKubernetesPod_updateArgsForceNew (103.00s)
=== RUN   TestAccKubernetesPod_updateEnvForceNew
--- PASS: TestAccKubernetesPod_updateEnvForceNew (40.58s)
=== RUN   TestAccKubernetesPod_importBasic
--- FAIL: TestAccKubernetesPod_importBasic (4.74s)
        testing.go:518: Step 0 error: After applying this step, the plan was not empty:

                DIFF:

                UPDATE: kubernetes_pod.test
                  spec.0.security_context.0.run_as_group: "0" => "100"

                STATE:

                kubernetes_pod.test:
                  ID = default/tf-acc-test-ioa4zeko0u
                  provider = provider.kubernetes
                  metadata.# = 1
                  metadata.0.annotations.% = 0
                  metadata.0.generate_name =
                  metadata.0.generation = 0
                  metadata.0.labels.% = 1
                  metadata.0.labels.app = pod_label
                  metadata.0.name = tf-acc-test-ioa4zeko0u
                  metadata.0.namespace = default
                  metadata.0.resource_version = 1992389
                  metadata.0.self_link = /api/v1/namespaces/default/pods/tf-acc-test-ioa4zeko0u
                  metadata.0.uid = b0c764b9-fad4-11e8-b6c5-42010a8e0102
                  spec.# = 1
                  spec.0.active_deadline_seconds = 0
                  spec.0.container.# = 1
                  spec.0.container.0.args.# = 0
                  spec.0.container.0.command.# = 0
                  spec.0.container.0.env.# = 0
                  spec.0.container.0.env_from.# = 0
                  spec.0.container.0.image = nginx:1.7.9
                  spec.0.container.0.image_pull_policy = IfNotPresent
                  spec.0.container.0.lifecycle.# = 0
                  spec.0.container.0.liveness_probe.# = 0
                  spec.0.container.0.name = containername
                  spec.0.container.0.port.# = 0
                  spec.0.container.0.readiness_probe.# = 0
                  spec.0.container.0.resources.# = 1
                  spec.0.container.0.resources.0.limits.# = 0
                  spec.0.container.0.resources.0.requests.# = 1
                  spec.0.container.0.resources.0.requests.0.cpu = 100m
                  spec.0.container.0.resources.0.requests.0.memory =
                  spec.0.container.0.security_context.# = 0
                  spec.0.container.0.stdin = false
                  spec.0.container.0.stdin_once = false
                  spec.0.container.0.termination_message_path = /dev/termination-log
                  spec.0.container.0.tty = false
                  spec.0.container.0.volume_mount.# = 0
                  spec.0.container.0.working_dir =
                  spec.0.dns_policy = ClusterFirst
                  spec.0.host_ipc = false
                  spec.0.host_network = false
                  spec.0.host_pid = false
                  spec.0.hostname =
                  spec.0.image_pull_secrets.# = 0
                  spec.0.init_container.# = 0
                  spec.0.node_name = gke-pdecat-terraform-k8s-te-pool-n1s8-13e2a93b-r6g0
                  spec.0.node_selector.% = 0
                  spec.0.restart_policy = Always
                  spec.0.security_context.# = 1
                  spec.0.security_context.0.fs_group = 100
                  spec.0.security_context.0.run_as_group = 0
                  spec.0.security_context.0.run_as_non_root = true
                  spec.0.security_context.0.run_as_user = 101
                  spec.0.security_context.0.se_linux_options.# = 0
                  spec.0.security_context.0.supplemental_groups.# = 1
                  spec.0.security_context.0.supplemental_groups.988695518 = 101
                  spec.0.service_account_name = default
                  spec.0.subdomain =
                  spec.0.termination_grace_period_seconds = 30
                  spec.0.volume.# = 0
=== RUN   TestAccKubernetesPod_with_pod_security_context
--- FAIL: TestAccKubernetesPod_with_pod_security_context (13.55s)
        testing.go:518: Step 0 error: Check failed: 1 error(s) occurred:

                * Check 3/7 error: kubernetes_pod.test: Attribute 'spec.0.security_context.0.run_as_group' expected "100", got "0"
=== RUN   TestAccKubernetesPod_with_container_liveness_probe_using_exec
--- PASS: TestAccKubernetesPod_with_container_liveness_probe_using_exec (53.25s)
=== RUN   TestAccKubernetesPod_with_container_liveness_probe_using_http_get
--- PASS: TestAccKubernetesPod_with_container_liveness_probe_using_http_get (20.48s)
=== RUN   TestAccKubernetesPod_with_container_liveness_probe_using_tcp
--- PASS: TestAccKubernetesPod_with_container_liveness_probe_using_tcp (7.56s)
=== RUN   TestAccKubernetesPod_with_container_lifecycle
--- PASS: TestAccKubernetesPod_with_container_lifecycle (5.96s)
=== RUN   TestAccKubernetesPod_with_container_security_context
--- FAIL: TestAccKubernetesPod_with_container_security_context (0.18s)
        testing.go:518: Step 0 error: Error applying: 1 error(s) occurred:

                * kubernetes_pod.test: 1 error(s) occurred:

                * kubernetes_pod.test: Pod "tf-acc-test-nc04rszz8a" is invalid: spec.containers[0].securityContext: Invalid value: core.SecurityContext{Capabilities:(*core.Capabilities)
(0xc4376cd020), Privileged:(*bool)(0xc42b284f68), SELinuxOptions:(*core.SELinuxOptions)(0xc435431fc0), RunAsUser:(*int64)(0xc42b284f80), RunAsGroup:(*int64)(nil), RunAsNonRoot:(*bool)(0
xc42b284f90), ReadOnlyRootFilesystem:(*bool)(0xc42b284f91), AllowPrivilegeEscalation:(*bool)(0xc42b284f92)}: cannot set `allowPrivilegeEscalation` to false and `privileged` to true
=== RUN   TestAccKubernetesPod_with_volume_mount
--- PASS: TestAccKubernetesPod_with_volume_mount (9.19s)
=== RUN   TestAccKubernetesPod_with_cfg_map_volume_mount
--- PASS: TestAccKubernetesPod_with_cfg_map_volume_mount (21.25s)
=== RUN   TestAccKubernetesPod_with_resource_requirements
--- PASS: TestAccKubernetesPod_with_resource_requirements (6.34s)
=== RUN   TestAccKubernetesPod_with_empty_dir_volume
--- PASS: TestAccKubernetesPod_with_empty_dir_volume (21.87s)
=== RUN   TestAccKubernetesPod_with_secret_vol_items
--- PASS: TestAccKubernetesPod_with_secret_vol_items (6.46s)
=== RUN   TestAccKubernetesPod_gke_with_nodeSelector
--- PASS: TestAccKubernetesPod_gke_with_nodeSelector (20.68s)
=== RUN   TestAccKubernetesReplicationController_basic
--- PASS: TestAccKubernetesReplicationController_basic (117.80s)
=== RUN   TestAccKubernetesReplicationController_initContainer
--- PASS: TestAccKubernetesReplicationController_initContainer (115.93s)
=== RUN   TestAccKubernetesReplicationController_importBasic
--- PASS: TestAccKubernetesReplicationController_importBasic (115.91s)
=== RUN   TestAccKubernetesReplicationController_generatedName
--- PASS: TestAccKubernetesReplicationController_generatedName (1.74s)
=== RUN   TestAccKubernetesReplicationController_importGeneratedName
--- PASS: TestAccKubernetesReplicationController_importGeneratedName (2.46s)
=== RUN   TestAccKubernetesReplicationController_with_security_context
--- FAIL: TestAccKubernetesReplicationController_with_security_context (1.48s)
        testing.go:518: Step 0 error: Check failed: 1 error(s) occurred:

                * Check 3/7 error: kubernetes_replication_controller.test: Attribute 'spec.0.template.0.security_context.0.run_as_group' expected "100", got "0"
=== RUN   TestAccKubernetesReplicationController_with_container_liveness_probe_using_exec
--- PASS: TestAccKubernetesReplicationController_with_container_liveness_probe_using_exec (1.71s)
=== RUN   TestAccKubernetesReplicationController_with_container_liveness_probe_using_http_get
--- PASS: TestAccKubernetesReplicationController_with_container_liveness_probe_using_http_get (1.74s)
=== RUN   TestAccKubernetesReplicationController_with_container_liveness_probe_using_tcp
--- PASS: TestAccKubernetesReplicationController_with_container_liveness_probe_using_tcp (2.59s)
=== RUN   TestAccKubernetesReplicationController_with_container_lifecycle
--- PASS: TestAccKubernetesReplicationController_with_container_lifecycle (1.90s)
=== RUN   TestAccKubernetesReplicationController_with_container_security_context
--- FAIL: TestAccKubernetesReplicationController_with_container_security_context (0.22s)
        testing.go:518: Step 0 error: Error applying: 1 error(s) occurred:

                * kubernetes_replication_controller.test: 1 error(s) occurred:

                * kubernetes_replication_controller.test: Failed to create replication controller: ReplicationController "tf-acc-test-6mpvv8dwck" is invalid: spec.template.spec.containe
rs[0].securityContext: Invalid value: core.SecurityContext{Capabilities:(*core.Capabilities)(nil), Privileged:(*bool)(0xc426233299), SELinuxOptions:(*core.SELinuxOptions)(0xc42d6da180),
 RunAsUser:(*int64)(0xc4262332c0), RunAsGroup:(*int64)(nil), RunAsNonRoot:(*bool)(0xc4262332d0), ReadOnlyRootFilesystem:(*bool)(0xc4262332d1), AllowPrivilegeEscalation:(*bool)(0xc426233
2d2)}: cannot set `allowPrivilegeEscalation` to false and `privileged` to true
=== RUN   TestAccKubernetesReplicationController_with_volume_mount
--- PASS: TestAccKubernetesReplicationController_with_volume_mount (3.05s)
=== RUN   TestAccKubernetesReplicationController_with_resource_requirements
--- PASS: TestAccKubernetesReplicationController_with_resource_requirements (2.03s)
=== RUN   TestAccKubernetesReplicationController_with_empty_dir_volume
--- PASS: TestAccKubernetesReplicationController_with_empty_dir_volume (1.81s)
FAIL
FAIL    github.com/terraform-providers/terraform-provider-kubernetes/kubernetes 1406.989s
make: *** [GNUmakefile:17: testacc] Error 1

Somehow, the new fields are not properly updated, on it...

@pdecat
Copy link
Contributor Author

pdecat commented Dec 8, 2018
edited
Loading

Oh, RunAsGroup was introduced in 1.10 as alpha: https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/

Removing it for now...

Saved those changes at https://github.com/pdecat/terraform-provider-kubernetes/tree/f-add-security-context-run_as_group

@pdecat pdecat changed the title Update container and pod security contexts attributes Add allow_privilege_escalation to container security contexts attributes Dec 8, 2018
@pdecat pdecat force-pushed the f-update-security-context branch 2 times, most recently from 97d6245 to a0693bc Compare December 8, 2018 11:30
@pdecat
Copy link
Contributor Author

pdecat commented Dec 8, 2018

Updated so that allow_privilege_escalation defaults to true.

For reference:

https://github.com/kubernetes/kubernetes/pull/53443/files#diff-310c52de103f5497d2d590411435ed19R978

https://books.google.fr/books?id=18t1DwAAQBAJ&pg=PA390&dq=AllowPrivilegeEscalation+default+value&hl=en&sa=X&ved=0ahUKEwiVw8OVr5DfAhUQQBoKHf02AeEQ6AEIKDAA#v=onepage&q=AllowPrivilegeEscalation%20default%20value&f=false

IMO, the reference and design docs are not really explicit about that:

AllowPrivilegeEscalation: Controls whether a process can gain more privileges than its parent process. This bool directly controls whether the no_new_privs flag gets set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged OR 2) has CAP_SYS_ADMIN.

cf. https://v1-10.docs.kubernetes.io/docs/tasks/configure-pod-container/security-context/
https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation

https://github.com/kubernetes/community/blob/master/contributors/design-proposals/auth/security_context.md

https://github.com/kubernetes/community/blob/master/contributors/design-proposals/auth/pod-security-context.md

https://github.com/kubernetes/community/blob/master/contributors/design-proposals/auth/no-new-privs.md#existing-securitycontext-objects

This change allows the acceptance to pass while they used to fail when this attribute is not defined but privileged is true.

@pdecat
Copy link
Contributor Author

pdecat commented Dec 8, 2018

Acceptance test results on GKE 1.11.4-gke.8 :

# make testacc TEST=./kubernetes TESTARGS='-run=TestAccKubernetes\(Pod\|ReplicationController\|Deployment\).* -count=1'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./kubernetes -v -run=TestAccKubernetes\(Pod\|ReplicationController\|Deployment\).* -count=1 -timeout 120m
=== RUN   TestAccKubernetesDeployment_basic
--- PASS: TestAccKubernetesDeployment_basic (69.12s)
=== RUN   TestAccKubernetesDeployment_initContainer
--- PASS: TestAccKubernetesDeployment_initContainer (129.49s)
=== RUN   TestAccKubernetesDeployment_importBasic
--- PASS: TestAccKubernetesDeployment_importBasic (119.82s)
=== RUN   TestAccKubernetesDeployment_generatedName
--- PASS: TestAccKubernetesDeployment_generatedName (10.57s)
=== RUN   TestAccKubernetesDeployment_importGeneratedName
--- PASS: TestAccKubernetesDeployment_importGeneratedName (48.57s)
=== RUN   TestAccKubernetesDeployment_with_security_context
--- PASS: TestAccKubernetesDeployment_with_security_context (18.36s)
=== RUN   TestAccKubernetesDeployment_with_container_liveness_probe_using_exec
--- PASS: TestAccKubernetesDeployment_with_container_liveness_probe_using_exec (9.80s)
=== RUN   TestAccKubernetesDeployment_with_container_liveness_probe_using_http_get
--- PASS: TestAccKubernetesDeployment_with_container_liveness_probe_using_http_get (18.04s)
=== RUN   TestAccKubernetesDeployment_with_container_liveness_probe_using_tcp
--- PASS: TestAccKubernetesDeployment_with_container_liveness_probe_using_tcp (9.61s)
=== RUN   TestAccKubernetesDeployment_with_container_lifecycle
--- PASS: TestAccKubernetesDeployment_with_container_lifecycle (5.52s)
=== RUN   TestAccKubernetesDeployment_with_container_security_context
--- PASS: TestAccKubernetesDeployment_with_container_security_context (5.96s)
=== RUN   TestAccKubernetesDeployment_with_volume_mount
--- PASS: TestAccKubernetesDeployment_with_volume_mount (19.16s)
=== RUN   TestAccKubernetesDeployment_with_resource_requirements
--- PASS: TestAccKubernetesDeployment_with_resource_requirements (10.69s)
=== RUN   TestAccKubernetesDeployment_with_empty_dir_volume
--- PASS: TestAccKubernetesDeployment_with_empty_dir_volume (5.51s)
=== RUN   TestAccKubernetesDeploymentUpdate_basic
--- PASS: TestAccKubernetesDeploymentUpdate_basic (157.58s)
=== RUN   TestAccKubernetesPod_basic
--- PASS: TestAccKubernetesPod_basic (36.15s)
=== RUN   TestAccKubernetesPod_initContainer_updateForcesNew
--- PASS: TestAccKubernetesPod_initContainer_updateForcesNew (60.96s)
=== RUN   TestAccKubernetesPod_updateArgsForceNew
--- PASS: TestAccKubernetesPod_updateArgsForceNew (110.88s)
=== RUN   TestAccKubernetesPod_updateEnvForceNew
--- PASS: TestAccKubernetesPod_updateEnvForceNew (32.14s)
=== RUN   TestAccKubernetesPod_importBasic
--- PASS: TestAccKubernetesPod_importBasic (6.91s)
=== RUN   TestAccKubernetesPod_with_pod_security_context
--- PASS: TestAccKubernetesPod_with_pod_security_context (12.41s)
=== RUN   TestAccKubernetesPod_with_container_liveness_probe_using_exec
--- PASS: TestAccKubernetesPod_with_container_liveness_probe_using_exec (50.74s)
=== RUN   TestAccKubernetesPod_with_container_liveness_probe_using_http_get
--- PASS: TestAccKubernetesPod_with_container_liveness_probe_using_http_get (7.45s)
=== RUN   TestAccKubernetesPod_with_container_liveness_probe_using_tcp
--- PASS: TestAccKubernetesPod_with_container_liveness_probe_using_tcp (8.14s)
=== RUN   TestAccKubernetesPod_with_container_lifecycle
--- PASS: TestAccKubernetesPod_with_container_lifecycle (19.02s)
=== RUN   TestAccKubernetesPod_with_container_security_context
--- PASS: TestAccKubernetesPod_with_container_security_context (6.50s)
=== RUN   TestAccKubernetesPod_with_volume_mount
--- PASS: TestAccKubernetesPod_with_volume_mount (22.06s)
=== RUN   TestAccKubernetesPod_with_cfg_map_volume_mount
--- PASS: TestAccKubernetesPod_with_cfg_map_volume_mount (8.85s)
=== RUN   TestAccKubernetesPod_with_resource_requirements
--- PASS: TestAccKubernetesPod_with_resource_requirements (19.91s)
=== RUN   TestAccKubernetesPod_with_empty_dir_volume
--- PASS: TestAccKubernetesPod_with_empty_dir_volume (12.28s)
=== RUN   TestAccKubernetesPod_with_secret_vol_items
--- PASS: TestAccKubernetesPod_with_secret_vol_items (21.04s)
=== RUN   TestAccKubernetesPod_gke_with_nodeSelector
--- PASS: TestAccKubernetesPod_gke_with_nodeSelector (20.77s)
=== RUN   TestAccKubernetesReplicationController_basic
--- PASS: TestAccKubernetesReplicationController_basic (116.91s)
=== RUN   TestAccKubernetesReplicationController_initContainer
--- PASS: TestAccKubernetesReplicationController_initContainer (115.66s)
=== RUN   TestAccKubernetesReplicationController_importBasic
--- PASS: TestAccKubernetesReplicationController_importBasic (116.28s)
=== RUN   TestAccKubernetesReplicationController_generatedName
--- PASS: TestAccKubernetesReplicationController_generatedName (2.64s)
=== RUN   TestAccKubernetesReplicationController_importGeneratedName
--- PASS: TestAccKubernetesReplicationController_importGeneratedName (2.52s)
=== RUN   TestAccKubernetesReplicationController_with_security_context
--- PASS: TestAccKubernetesReplicationController_with_security_context (2.65s)
=== RUN   TestAccKubernetesReplicationController_with_container_liveness_probe_using_exec
--- PASS: TestAccKubernetesReplicationController_with_container_liveness_probe_using_exec (2.13s)
=== RUN   TestAccKubernetesReplicationController_with_container_liveness_probe_using_http_get
--- PASS: TestAccKubernetesReplicationController_with_container_liveness_probe_using_http_get (2.41s)
=== RUN   TestAccKubernetesReplicationController_with_container_liveness_probe_using_tcp
--- PASS: TestAccKubernetesReplicationController_with_container_liveness_probe_using_tcp (2.58s)
=== RUN   TestAccKubernetesReplicationController_with_container_lifecycle
--- PASS: TestAccKubernetesReplicationController_with_container_lifecycle (2.06s)
=== RUN   TestAccKubernetesReplicationController_with_container_security_context
--- PASS: TestAccKubernetesReplicationController_with_container_security_context (2.02s)
=== RUN   TestAccKubernetesReplicationController_with_volume_mount
--- PASS: TestAccKubernetesReplicationController_with_volume_mount (3.20s)
=== RUN   TestAccKubernetesReplicationController_with_resource_requirements
--- PASS: TestAccKubernetesReplicationController_with_resource_requirements (2.39s)
=== RUN   TestAccKubernetesReplicationController_with_empty_dir_volume
--- PASS: TestAccKubernetesReplicationController_with_empty_dir_volume (2.16s)
PASS
ok      github.com/terraform-providers/terraform-provider-kubernetes/kubernetes 1469.681s

@pdecat pdecat force-pushed the f-update-security-context branch from 0f64089 to 1f80aef Compare December 9, 2018 11:13
@pdecat
Copy link
Contributor Author

pdecat commented Dec 9, 2018

Rebased on master.

alexsomesan
alexsomesan approved these changes Dec 10, 2018
View reviewed changes
Copy link
Member

@alexsomesan alexsomesan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nicely done! Thanks for quoting the references so exhaustively.

I've run this in internal CI and all is green, so we should be good here.

LGTM

@alexsomesan alexsomesan merged commit c0f2cdf into hashicorp:master Dec 12, 2018
@pdecat pdecat deleted the f-update-security-context branch December 12, 2018 20:13
pdecat added a commit to pdecat/terraform-provider-kubernetes that referenced this pull request Dec 13, 2018
@pdecat
Update changelog for hashicorp#249
42944bc
alexsomesan pushed a commit that referenced this pull request Jan 7, 2019
@pdecat @alexsomesan
Update changelog for #249 and #252 (#257)
3ff4bc9 
* Update changelog for #249

* Update changelog for #252
@jhoblitt
Copy link
Contributor

I believe that runAsGroup is beta as of 1.14 and enabled by default: https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/

@jhoblitt
Copy link
Contributor

@pdecat Is there any chance I could talk you into resurrecting your run_as_group support?

@pdecat pdecat mentioned this pull request Apr 25, 2019
Merged
@pdecat
Copy link
Contributor Author

pdecat commented Apr 25, 2019

@jhoblitt there you go #414 ;)

@ghost ghost locked and limited conversation to collaborators Apr 21, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@alexsomesan alexsomesan alexsomesan approved these changes

Assignees
No one assigned
Labels
documentation size/L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add allowPrivilegeEscalation key to deployment resource for container security_context
3 participants
@pdecat @jhoblitt @alexsomesan