OCPBUGS-42044: Minimize git-clone Privileges
#29106
Conversation
As part of the mitigation for CVE-2024-45496, the `git-clone` container for builds was updated to run unprivileged and a minimal set of Linux capabilities enabled. This update ensures that we do not regress and elevate the permissions granted to the `git-clone` container in builds. Signed-off-by: Adam Kaplan <[email protected]>
openshift-ci-robot
added
jira/valid-reference
|
@adambkaplan: This pull request references Jira Issue OCPBUGS-42044, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
requested review from
jitendar-singh,
divyansh42 and
sayan-biswas
|
/approve |
openshift-ci
bot
added
the
approved
|
/cherrypick release-4.17,release-4.16,release-4.15,release-4.14,release-4.13,release-4.12 |
|
@adambkaplan: once the present PR merges, I will cherry-pick it on top of release-4.17,release-4.16,release-4.15,release-4.14,release-4.13,release-4.12 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: adambkaplan, deads2k, sayan-biswas The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/test e2e-gcp-ovn-builds |
|
Note - this might need another re-test. The commit with the patch was not added to our public repo until this morning (after I pushed the test fix commit). |
|
/retest Test ran before the patches were made public. |
|
/retest |
|
@adambkaplan: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
Job Failure Risk Analysis for sha: 56e238b
|
As part of the mitigation for CVE-2024-45496, the
git-clonecontainer for builds was updated to run unprivileged and a minimal set of Linux capabilities enabled. This update ensures that we do not regress and elevate the permissions granted to thegit-clonecontainer in builds.