From 5be591c73355ad02928178c907eae44f1d501fda Mon Sep 17 00:00:00 2001 From: "microshift-rebase-script[bot]" <114237296+microshift-rebase-script[bot]@users.noreply.github.com> Date: Wed, 8 Mar 2023 17:56:55 +0100 Subject: [PATCH] rebase-4.12.0-0.nightly_amd64-2023-03-06-151602_arm64-2023-03-07-014438 (#1451) * update last_rebase.sh * update changelog * update go.mod * update vendoring * update component images * update manifests --------- Co-authored-by: ci-robot --- assets/release/release-aarch64.json | 24 ++--- assets/release/release-x86_64.json | 24 ++--- go.mod | 2 +- go.sum | 4 +- packaging/crio.conf.d/microshift_amd64.conf | 2 +- packaging/crio.conf.d/microshift_arm64.conf | 2 +- scripts/auto-rebase/changelog.txt | 26 ++---- scripts/auto-rebase/commits.txt | 8 +- scripts/auto-rebase/last_rebase.sh | 2 +- .../pkg/cmd/controller/psalabelsyncer.go | 44 +++++++--- .../podsecurity_label_sync_controller.go | 88 +++++++++++++++++-- vendor/modules.txt | 2 +- 12 files changed, 157 insertions(+), 71 deletions(-) diff --git a/assets/release/release-aarch64.json b/assets/release/release-aarch64.json index 476de38ccd4..3c41a2b6fd4 100644 --- a/assets/release/release-aarch64.json +++ b/assets/release/release-aarch64.json @@ -1,20 +1,20 @@ { "release": { - "base": "4.12.0-0.nightly-arm64-2023-02-26-022416" + "base": "4.12.0-0.nightly-arm64-2023-03-07-014438" }, "images": { - "cli": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:deceba7099a0aeb7c82df21f74631f28ad2790c27c668849e7f5c8782b9ffa8f", - "coredns": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bc4f910e887594c4a3b14fcfe76a17978e013112419d7fb3e060b081ec0aa31e", - "haproxy-router": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:ad49b74e620fbe3ffe5ca1bd998750869026f71ae250b55ed1e5312baae95ac6", - "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:74084d78b2f16bdf566d0ca092a5a75d914027f58aa6b78f09ecb688e9d8b404", + "cli": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:2d19d1ede0462e880751f44e288491fd539f054b44fdd28cd3314bdd0fb927aa", + "coredns": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:c0161e495285e62f68c41640ff106945276b8fcc14cdf8c062f29ad71f2e741a", + "haproxy-router": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6adc1bc218be5fe1221bcd03dd1c1d31317e9de1bb3f3a028947e10c38711072", + "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1d83bac5fac46aec5b4d5cff90e83713cd56466aac0f05d5f00d27dc01ffa073", "lvms-topolvm": "registry.redhat.io/lvms4/topolvm-rhel8@sha256:10bffded5317da9de6c45ba74f0bb10e0a08ddb2bfef23b11ac61287a37f10a1", "openssl": "registry.access.redhat.com/ubi8/openssl@sha256:9e743d947be073808f7f1750a791a3dbd81e694e37161e8c6c6057c2c342d671", - "csi-external-provisioner": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cc302e21c073cd7b18110e69d449b06bc71198e5f8d6ff8357759202e215c45e", - "csi-external-resizer": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:92834e0c216abdd62b051807d054abca1b7bc2d0b45f390cda2e14f68e868d2a", - "csi-node-driver-registrar": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:05148205cb9414b72a7cd83965447b6e5eb5c65492268d247291db8e77afe783", - "csi-livenessprobe": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:bc825fc6123d66feb35da08022fe757a70ae05ec9659d13a128f6fae9a1988e2", - "ovn-kubernetes-microshift": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:074dcae4c66c87464457737d48a6cf281fd8141ecda7e335870cedc002391c8c", - "pod": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:5711fd19828b8375f5f95b74b568d265399de50f36c94184d97714c89d1bed14", - "service-ca-operator": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:d875990af5102e92773c737d955e23bb8f563df05b3652c53d0ebe2cbad809f8" + "csi-external-provisioner": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:51fd02cd5a6c33d765dd53bc5a949877a5061fb7bbdb906c793d76640f2848b0", + "csi-external-resizer": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:0d4bc7624f6c1797eb1465a83ee5e68fcc8314212bb7c118620135dddb138db1", + "csi-node-driver-registrar": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:5af1c736990fa72c99a2eb4736aecad77a51f8740a40e4b1fe472c85aff49849", + "csi-livenessprobe": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8cc32f9b925358883288fb10f0ae9454fae3f7cc7d9c35052247ade4ecfbe96e", + "ovn-kubernetes-microshift": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:65fa5617833f638d91f1a660446eee2501732146b2d946eda93d6e95cb62f2fe", + "pod": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:04cc86b7cb6c5825525873137f8d6f5e2bb7875406df4ff14d1a155d409eb604", + "service-ca-operator": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:9558f0cd85d78b8aac1023543098033a5c8bce948004f4cd04d57fa68b88292a" } } diff --git a/assets/release/release-x86_64.json b/assets/release/release-x86_64.json index 93428deb9ea..e8679d123fa 100644 --- a/assets/release/release-x86_64.json +++ b/assets/release/release-x86_64.json @@ -1,20 +1,20 @@ { "release": { - "base": "4.12.0-0.nightly-2023-02-26-022418" + "base": "4.12.0-0.nightly-2023-03-06-151602" }, "images": { - "cli": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:d9feb297a0007232cd124c9d0c94360b6ad35b81350b2b55469efc14fda48c72", - "coredns": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:8e8ad4781031b2bada8fe04aba3ba732530afa9b048c6e874934bc4bfefac8be", - "haproxy-router": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:9d617ec9a2e82f2b2bf2dcab9695d49426db17674bf970d4b1dc146d66db863b", - "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:828be510029fdb379732cb7798a70d5433cb4921f3a99d73342c2d452d3b40c3", + "cli": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6ffec1ff95bc30419bf814144fb58585bdd470b4a7baf505c96c51fb620320e9", + "coredns": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:ddf81e535cf7a6b2775f3db690ec1e6eaa1c7427a0f9b98ce120d8ad06520440", + "haproxy-router": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:a7f55a043a08732dbd65bee03ccb10b10936ad398075d3966af8b04850f7613b", + "kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:2ec398c84b26e79546dd6f98a5e5cc89a9b3d9e36d681bca54cd436cd2f81324", "lvms-topolvm": "registry.redhat.io/lvms4/topolvm-rhel8@sha256:10bffded5317da9de6c45ba74f0bb10e0a08ddb2bfef23b11ac61287a37f10a1", "openssl": "registry.access.redhat.com/ubi8/openssl@sha256:9e743d947be073808f7f1750a791a3dbd81e694e37161e8c6c6057c2c342d671", - "csi-external-provisioner": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:3a2d0451979d785a004227a5a66bae3b00467fe6734e6270bd67697f79920f88", - "csi-external-resizer": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:d792755d7e9bda9d95525984f8823f5fde8304902e278ac3729fcd94c585045c", - "csi-node-driver-registrar": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:211d1573308c92367f9e7e0e6ffb06257748dc81666b0629e8c210a172f13629", - "csi-livenessprobe": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:21bbb5586c93ddc2b847c2a4971c6e0264ab6ea641b4d4079c863ce4f87b3b3d", - "ovn-kubernetes-microshift": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:41cff578751b931f3b3770758014463cf48b42a7a29568b8d89c8ed6c8e9cb19", - "pod": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:a4d416241b671657a03a1a3a149e0f6742591fd32761937be40fa2df09a8ce47", - "service-ca-operator": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:ad2114b3e9d4271c01728276e5ab49733e24f1603bd3927fc7a439eaa98f8753" + "csi-external-provisioner": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:45e0ed677f1828c88abb0d895a8822c22ea5c6f2b2f9b4a08d5cc570a7e522cf", + "csi-external-resizer": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6570eb675350100d4ed00933fb0bfa353e631e0574cf1a507501707b995e330a", + "csi-node-driver-registrar": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:b191beae6beb4085c692c4a7e04034a479aee3ebda17716955f95f993fcd2db3", + "csi-livenessprobe": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:d24230cf30092fa3ee31b03ac40abdf29fcf9059bda608cac8f0e5c0767b2ac1", + "ovn-kubernetes-microshift": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e61bf1043b13cd30bfe6f64bbabf5428f74b9d8b6cb47649c8af4b369e4dc079", + "pod": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:ae8d819e5e304beeb27aa7abf69e4cab2686a40596afd221d848249560db0485", + "service-ca-operator": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:ec82e2a574537773e53dfde47806fa00fe7d7e1d51b02b84f18e501993d2a3e8" } } diff --git a/go.mod b/go.mod index fe08ef250a4..aa094ca2629 100644 --- a/go.mod +++ b/go.mod @@ -11,7 +11,7 @@ require ( github.com/openshift/api v0.0.0-20221116152553-4b67c2b2bb1e github.com/openshift/build-machinery-go v0.0.0-20220913142420-e25cf57ea46d github.com/openshift/client-go v0.0.0-20221019143426-16aed247da5c - github.com/openshift/cluster-policy-controller v0.0.0-20230220142510-a78a00b3632f + github.com/openshift/cluster-policy-controller v0.0.0-20230227104154-139ac0499ac4 github.com/openshift/library-go v0.0.0-20221205131816-1700fb06ea43 github.com/openshift/route-controller-manager v0.0.0-20221130011049-9e74d175e81e github.com/pkg/errors v0.9.1 diff --git a/go.sum b/go.sum index 4cd64821bff..4a94bed007f 100644 --- a/go.sum +++ b/go.sum @@ -525,8 +525,8 @@ github.com/openshift/build-machinery-go v0.0.0-20220913142420-e25cf57ea46d h1:RR github.com/openshift/build-machinery-go v0.0.0-20220913142420-e25cf57ea46d/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE= github.com/openshift/client-go v0.0.0-20221019143426-16aed247da5c h1:CV76yFOTXmq9VciBR3Bve5ZWzSxdft7gaMVB3kS0rwg= github.com/openshift/client-go v0.0.0-20221019143426-16aed247da5c/go.mod h1:lFMO8mLHXWFzSdYvGNo8ivF9SfF6zInA8ZGw4phRnUE= -github.com/openshift/cluster-policy-controller v0.0.0-20230220142510-a78a00b3632f h1:UPym333K9qZ9oPkX+qNgTmW+tG2ytvntqbox3u/2AI0= -github.com/openshift/cluster-policy-controller v0.0.0-20230220142510-a78a00b3632f/go.mod h1:vlkRuwyRueLOQ/ZRRle+rCrh+YNoh+pzJm9WaN9e6mU= +github.com/openshift/cluster-policy-controller v0.0.0-20230227104154-139ac0499ac4 h1:Y7Q1YTwgElV1FPd4G8pCN0GkWSSzAkF1SIpupC3ilyE= +github.com/openshift/cluster-policy-controller v0.0.0-20230227104154-139ac0499ac4/go.mod h1:vlkRuwyRueLOQ/ZRRle+rCrh+YNoh+pzJm9WaN9e6mU= github.com/openshift/etcd/api/v3 v3.5.1-0.20220707134052-31b6b2d9b4d7 h1:0zi9RAHd0uq9gwtbMvRbLJJkgVBpFU7EIj3LQkY7hXk= github.com/openshift/etcd/api/v3 v3.5.1-0.20220707134052-31b6b2d9b4d7/go.mod h1:5GB2vv4A4AOn3yk7MftYGHkUfGtDHnEraIjym4dYz5A= github.com/openshift/etcd/client/pkg/v3 v3.5.1-0.20220707134052-31b6b2d9b4d7 h1:AYz2JmZ7SCtJnpN4HiAgoVYW9AV54CJSiz8c9vig0NM= diff --git a/packaging/crio.conf.d/microshift_amd64.conf b/packaging/crio.conf.d/microshift_amd64.conf index 59ab3302e33..a3f4455a7fd 100644 --- a/packaging/crio.conf.d/microshift_amd64.conf +++ b/packaging/crio.conf.d/microshift_amd64.conf @@ -15,4 +15,4 @@ plugin_dirs = [ # for community builds on top of OKD, this setting has no effect [crio.image] global_auth_file="/etc/crio/openshift-pull-secret" -pause_image = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:a4d416241b671657a03a1a3a149e0f6742591fd32761937be40fa2df09a8ce47" +pause_image = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:ae8d819e5e304beeb27aa7abf69e4cab2686a40596afd221d848249560db0485" diff --git a/packaging/crio.conf.d/microshift_arm64.conf b/packaging/crio.conf.d/microshift_arm64.conf index a4b75696674..749c66d3b29 100644 --- a/packaging/crio.conf.d/microshift_arm64.conf +++ b/packaging/crio.conf.d/microshift_arm64.conf @@ -15,4 +15,4 @@ plugin_dirs = [ # for community builds on top of OKD, this setting has no effect [crio.image] global_auth_file="/etc/crio/openshift-pull-secret" -pause_image = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:5711fd19828b8375f5f95b74b568d265399de50f36c94184d97714c89d1bed14" +pause_image = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:04cc86b7cb6c5825525873137f8d6f5e2bb7875406df4ff14d1a155d409eb604" diff --git a/scripts/auto-rebase/changelog.txt b/scripts/auto-rebase/changelog.txt index 7ca77926683..f8d1f58cf2d 100644 --- a/scripts/auto-rebase/changelog.txt +++ b/scripts/auto-rebase/changelog.txt @@ -1,17 +1,9 @@ -# cluster-kube-apiserver-operator embedded-component 336ffd5e7491f565faccf843571303377b1d4825 to a9a4df5f0cedeba2868a6ceb63ab58f67a0cdbf2 -f4c118ce9aec186b70615399ff71829bc7a0d044 2023-02-15T18:10:50+01:00 Guard pod set readiness probe endpoint explicitly -# cluster-network-operator embedded-component 43bc195cf9fef2db627369f86d10e0f501e9d3fa to 6f5e144f260333ad0f70a88a55eab4fc81ecd7a2 -3a98f98c4eb01338731c9dbd55b618f6b7c244b4 2023-01-17T20:11:33-06:00 added missing api field podref -# cluster-policy-controller embedded-component 105cc773b37f00be2351c9a4e6df24af94d547c1 to a78a00b3632f2c5a977ca200bf2b7a421eb121a8 -1bde0c94e6156fb9b28aac527ed601f7dff1c306 2023-02-18T11:22:19+01:00 update psa dependency version -6e315800c16b38ec0b4dd7d2a37f4606d4ba707e 2023-02-17T15:34:48+01:00 update controller-manager dependency to point to v0.25.0 -# kubernetes embedded-component a34b9e9499e6c3a94e2326652bd8236a5378c0b2 to 18eadcaadf0be77350013c8911ca953bc2ca3778 -57fc96959152c8c7ec33ac40b29f447accb6db17 2023-02-10T14:38:06+01:00 UPSTREAM: : bump(apiserver-library-go): scc admission - seccomp profiles fix -# ovn-kubernetes image-amd64 cf9fb51510e1870961bf3a0f064b73536757a4f8 to 5f8cd83cb3efb1d167f0da085f880377958ea502 -08b8105edc3a7da9316a77c1f149a9121665018c 2023-02-10T10:17:26+01:00 Delete stale egress ip snat entries by node -# kubernetes image-amd64 a34b9e9499e6c3a94e2326652bd8236a5378c0b2 to 18eadcaadf0be77350013c8911ca953bc2ca3778 -57fc96959152c8c7ec33ac40b29f447accb6db17 2023-02-10T14:38:06+01:00 UPSTREAM: : bump(apiserver-library-go): scc admission - seccomp profiles fix -# ovn-kubernetes image-arm64 cf9fb51510e1870961bf3a0f064b73536757a4f8 to 5f8cd83cb3efb1d167f0da085f880377958ea502 -08b8105edc3a7da9316a77c1f149a9121665018c 2023-02-10T10:17:26+01:00 Delete stale egress ip snat entries by node -# kubernetes image-arm64 a34b9e9499e6c3a94e2326652bd8236a5378c0b2 to 18eadcaadf0be77350013c8911ca953bc2ca3778 -57fc96959152c8c7ec33ac40b29f447accb6db17 2023-02-10T14:38:06+01:00 UPSTREAM: : bump(apiserver-library-go): scc admission - seccomp profiles fix +# cluster-kube-apiserver-operator embedded-component a9a4df5f0cedeba2868a6ceb63ab58f67a0cdbf2 to e840002d36b0daeccfb040dabc1f37f309b7207b +613faf75924e311f3af87fbe1d1d99503a522431 2023-02-01T11:12:25+01:00 make the bootstrap kube-apiserver honor cluster-wide featuregates +# cluster-policy-controller embedded-component a78a00b3632f2c5a977ca200bf2b7a421eb121a8 to 139ac0499ac4d744023827ceb6d16aa6b467be27 +938944b9accb838dc7cd98e5f5f3399c332efed1 2023-02-22T13:01:35+01:00 psalabelsyncer: invert the enforce/log logic to default to logging +300027404416cb1ce35e484707f6621aee732c99 2023-02-01T11:35:27+01:00 enforce pod security admission when techpreview is enabled +# oc image-amd64 b05f7d40f9a2dac30771be620e9e9148d26ffd07 to 846602e50eb29ecdc7441ebed2fc846048959eaa +2466e48e0833c33adda7c733cae9c7933ac58368 2023-02-24T18:27:49+00:00 pkg/cli/admin/upgrade/channel: Use PATCH instead of POST for spec updates +# oc image-arm64 b05f7d40f9a2dac30771be620e9e9148d26ffd07 to 846602e50eb29ecdc7441ebed2fc846048959eaa +2466e48e0833c33adda7c733cae9c7933ac58368 2023-02-24T18:27:49+00:00 pkg/cli/admin/upgrade/channel: Use PATCH instead of POST for spec updates diff --git a/scripts/auto-rebase/commits.txt b/scripts/auto-rebase/commits.txt index c0d03eaebac..e44eaf0ac40 100644 --- a/scripts/auto-rebase/commits.txt +++ b/scripts/auto-rebase/commits.txt @@ -1,18 +1,18 @@ https://github.com/openshift/cluster-dns-operator embedded-component 1c136fe38b8cd5c0de99577d23157f884728d20b https://github.com/openshift/cluster-ingress-operator embedded-component 992b43b3cf3e1784bfe8d3083229c7ecb410e7e3 -https://github.com/openshift/cluster-kube-apiserver-operator embedded-component a9a4df5f0cedeba2868a6ceb63ab58f67a0cdbf2 +https://github.com/openshift/cluster-kube-apiserver-operator embedded-component e840002d36b0daeccfb040dabc1f37f309b7207b https://github.com/openshift/cluster-kube-controller-manager-operator embedded-component 73f7ea7014f57cc37d6f2c720d3bcc00c7d4718b https://github.com/openshift/cluster-kube-scheduler-operator embedded-component 845ae423e831b1cacf0bcae5e6528f1d21b5ddf2 https://github.com/openshift/cluster-network-operator embedded-component 6f5e144f260333ad0f70a88a55eab4fc81ecd7a2 https://github.com/openshift/cluster-openshift-controller-manager-operator embedded-component d1915d130481541b8bacb5b98eddbc1541809d0a -https://github.com/openshift/cluster-policy-controller embedded-component a78a00b3632f2c5a977ca200bf2b7a421eb121a8 +https://github.com/openshift/cluster-policy-controller embedded-component 139ac0499ac4d744023827ceb6d16aa6b467be27 https://github.com/openshift/etcd embedded-component 978cfefd2f21c4ec1ac84ed95130cbff510fbe1b https://github.com/openshift/kubernetes embedded-component 18eadcaadf0be77350013c8911ca953bc2ca3778 https://github.com/openshift/machine-config-operator embedded-component 4099f3c4f4ea9df85a7516a6300a4c6e5504a5cd https://github.com/openshift/openshift-controller-manager embedded-component b6528f9ea28164af9f1ceea0e50f18116fe3c90e https://github.com/openshift/route-controller-manager embedded-component 9e74d175e81ef6a2beb3718398e3fc99dded037c https://github.com/openshift/service-ca-operator embedded-component 299b7097a49385fdd4f86eccedc07f3a192e2504 -https://github.com/openshift/oc image-amd64 b05f7d40f9a2dac30771be620e9e9148d26ffd07 +https://github.com/openshift/oc image-amd64 846602e50eb29ecdc7441ebed2fc846048959eaa https://github.com/openshift/coredns image-amd64 9aaa7e0a86b69bafb9f544a0e5cb1873535a8f6b https://github.com/openshift/csi-external-provisioner image-amd64 140851f6c0e70cf917b3361808b31628c68ea8a5 https://github.com/openshift/csi-external-resizer image-amd64 239d751f51743214417dd5058645c2c1d390d1b5 @@ -23,7 +23,7 @@ https://github.com/openshift/kube-rbac-proxy image-amd64 513fd32175af4bb03f2e8a3 https://github.com/openshift/ovn-kubernetes image-amd64 5f8cd83cb3efb1d167f0da085f880377958ea502 https://github.com/openshift/kubernetes image-amd64 18eadcaadf0be77350013c8911ca953bc2ca3778 https://github.com/openshift/service-ca-operator image-amd64 299b7097a49385fdd4f86eccedc07f3a192e2504 -https://github.com/openshift/oc image-arm64 b05f7d40f9a2dac30771be620e9e9148d26ffd07 +https://github.com/openshift/oc image-arm64 846602e50eb29ecdc7441ebed2fc846048959eaa https://github.com/openshift/coredns image-arm64 9aaa7e0a86b69bafb9f544a0e5cb1873535a8f6b https://github.com/openshift/csi-external-provisioner image-arm64 140851f6c0e70cf917b3361808b31628c68ea8a5 https://github.com/openshift/csi-external-resizer image-arm64 239d751f51743214417dd5058645c2c1d390d1b5 diff --git a/scripts/auto-rebase/last_rebase.sh b/scripts/auto-rebase/last_rebase.sh index 0c1b1c296fa..e1f9d2b5c5a 100755 --- a/scripts/auto-rebase/last_rebase.sh +++ b/scripts/auto-rebase/last_rebase.sh @@ -1,2 +1,2 @@ #!/bin/bash -x -./scripts/auto-rebase/rebase.sh to "registry.ci.openshift.org/ocp/release:4.12.0-0.nightly-2023-02-26-022418" "registry.ci.openshift.org/ocp-arm64/release-arm64:4.12.0-0.nightly-arm64-2023-02-26-022416" +./scripts/auto-rebase/rebase.sh to "registry.ci.openshift.org/ocp/release:4.12.0-0.nightly-2023-03-06-151602" "registry.ci.openshift.org/ocp-arm64/release-arm64:4.12.0-0.nightly-arm64-2023-03-07-014438" diff --git a/vendor/github.com/openshift/cluster-policy-controller/pkg/cmd/controller/psalabelsyncer.go b/vendor/github.com/openshift/cluster-policy-controller/pkg/cmd/controller/psalabelsyncer.go index 6ed9943585c..cb1bc23ec5d 100644 --- a/vendor/github.com/openshift/cluster-policy-controller/pkg/cmd/controller/psalabelsyncer.go +++ b/vendor/github.com/openshift/cluster-policy-controller/pkg/cmd/controller/psalabelsyncer.go @@ -4,6 +4,7 @@ import ( "context" "github.com/openshift/cluster-policy-controller/pkg/psalabelsyncer" + "k8s.io/apimachinery/pkg/util/sets" ) func runPodSecurityAdmissionLabelSynchronizationController(ctx context.Context, controllerCtx *EnhancedControllerContext) (bool, error) { @@ -13,19 +14,40 @@ func runPodSecurityAdmissionLabelSynchronizationController(ctx context.Context, return true, err } - controller, err := psalabelsyncer.NewPodSecurityAdmissionLabelSynchronizationController( - kubeClient.CoreV1().Namespaces(), - controllerCtx.KubernetesInformers.Core().V1().Namespaces(), - controllerCtx.KubernetesInformers.Rbac().V1(), - controllerCtx.KubernetesInformers.Core().V1().ServiceAccounts(), - controllerCtx.SecurityInformers.Security().V1().SecurityContextConstraints(), - controllerCtx.EventRecorder.ForComponent("podsecurity-admission-label-sync-controller"), - ) + featureGates := sets.NewString(controllerCtx.OpenshiftControllerConfig.FeatureGates...) + switch { + case featureGates.Has("OpenShiftPodSecurityAdmission=true"): + // if explicitly on, enable + controller, err := psalabelsyncer.NewEnforcingPodSecurityAdmissionLabelSynchronizationController( + kubeClient.CoreV1().Namespaces(), + controllerCtx.KubernetesInformers.Core().V1().Namespaces(), + controllerCtx.KubernetesInformers.Rbac().V1(), + controllerCtx.KubernetesInformers.Core().V1().ServiceAccounts(), + controllerCtx.SecurityInformers.Security().V1().SecurityContextConstraints(), + controllerCtx.EventRecorder.ForComponent("podsecurity-admission-label-sync-controller"), + ) + if err != nil { + return true, err + } + go controller.Run(ctx, 1) - if err != nil { - return true, err + case featureGates.Has("OpenShiftPodSecurityAdmission=false"): + // if explicitly off or unspecified, run as logging. + fallthrough + default: + controller, err := psalabelsyncer.NewAdvisingPodSecurityAdmissionLabelSynchronizationController( + kubeClient.CoreV1().Namespaces(), + controllerCtx.KubernetesInformers.Core().V1().Namespaces(), + controllerCtx.KubernetesInformers.Rbac().V1(), + controllerCtx.KubernetesInformers.Core().V1().ServiceAccounts(), + controllerCtx.SecurityInformers.Security().V1().SecurityContextConstraints(), + controllerCtx.EventRecorder.ForComponent("podsecurity-admission-label-sync-controller"), + ) + if err != nil { + return true, err + } + go controller.Run(ctx, 1) } - go controller.Run(ctx, 1) return true, nil } diff --git a/vendor/github.com/openshift/cluster-policy-controller/pkg/psalabelsyncer/podsecurity_label_sync_controller.go b/vendor/github.com/openshift/cluster-policy-controller/pkg/psalabelsyncer/podsecurity_label_sync_controller.go index 49c4b849f99..af360db7510 100644 --- a/vendor/github.com/openshift/cluster-policy-controller/pkg/psalabelsyncer/podsecurity_label_sync_controller.go +++ b/vendor/github.com/openshift/cluster-policy-controller/pkg/psalabelsyncer/podsecurity_label_sync_controller.go @@ -41,6 +41,8 @@ const ( // admission namespace label to match the user account privileges in terms of being able // to use SCCs type PodSecurityAdmissionLabelSynchronizationController struct { + shouldEnforce bool + namespaceClient corev1client.NamespaceInterface namespaceLister corev1listers.NamespaceLister @@ -53,7 +55,46 @@ type PodSecurityAdmissionLabelSynchronizationController struct { saToSCCsCache SAToSCCCache } -func NewPodSecurityAdmissionLabelSynchronizationController( +func NewEnforcingPodSecurityAdmissionLabelSynchronizationController( + namespaceClient corev1client.NamespaceInterface, + namespaceInformer corev1informers.NamespaceInformer, + rbacInformers rbacv1informers.Interface, + serviceAccountInformer corev1informers.ServiceAccountInformer, + sccInformer securityv1informers.SecurityContextConstraintsInformer, + eventRecorder events.Recorder, +) (factory.Controller, error) { + return newPodSecurityAdmissionLabelSynchronizationController( + true, + namespaceClient, + namespaceInformer, + rbacInformers, + serviceAccountInformer, + sccInformer, + eventRecorder, + ) +} + +func NewAdvisingPodSecurityAdmissionLabelSynchronizationController( + namespaceClient corev1client.NamespaceInterface, + namespaceInformer corev1informers.NamespaceInformer, + rbacInformers rbacv1informers.Interface, + serviceAccountInformer corev1informers.ServiceAccountInformer, + sccInformer securityv1informers.SecurityContextConstraintsInformer, + eventRecorder events.Recorder, +) (factory.Controller, error) { + return newPodSecurityAdmissionLabelSynchronizationController( + false, + namespaceClient, + namespaceInformer, + rbacInformers, + serviceAccountInformer, + sccInformer, + eventRecorder, + ) +} + +func newPodSecurityAdmissionLabelSynchronizationController( + shouldEnforce bool, namespaceClient corev1client.NamespaceInterface, namespaceInformer corev1informers.NamespaceInformer, rbacInformers rbacv1informers.Interface, @@ -82,6 +123,8 @@ func NewPodSecurityAdmissionLabelSynchronizationController( syncCtx := factory.NewSyncContext(controllerName, eventRecorder.WithComponentSuffix(controllerName)) c := &PodSecurityAdmissionLabelSynchronizationController{ + shouldEnforce: shouldEnforce, + namespaceClient: namespaceClient, namespaceLister: namespaceInformer.Lister(), @@ -210,19 +253,48 @@ func (c *PodSecurityAdmissionLabelSynchronizationController) syncNamespace(ctx c nsCopy := ns.DeepCopy() var changed bool - for typeLabel, versionLabel := range map[string]string{ - psapi.WarnLevelLabel: psapi.WarnVersionLabel, - psapi.AuditLevelLabel: psapi.AuditVersionLabel, - } { - if ns.Labels[typeLabel] != string(psaLevel) || ns.Labels[versionLabel] != currentPSaVersion { + + if c.shouldEnforce { + if nsCopy.Labels[psapi.EnforceLevelLabel] != string(psaLevel) || nsCopy.Labels[psapi.EnforceVersionLabel] != currentPSaVersion { changed = true if nsCopy.Labels == nil { nsCopy.Labels = map[string]string{} } - nsCopy.Labels[typeLabel] = string(psaLevel) - nsCopy.Labels[versionLabel] = currentPSaVersion + nsCopy.Labels[psapi.EnforceLevelLabel] = string(psaLevel) + nsCopy.Labels[psapi.EnforceVersionLabel] = currentPSaVersion + } + + // cleanup audit and warn labels from version 4.11 + // TODO: This can be removed in 4.13 and allow users set these as they wish + for typeLabel, versionLabel := range map[string]string{ + psapi.WarnLevelLabel: psapi.WarnVersionLabel, + psapi.AuditLevelLabel: psapi.AuditVersionLabel, + } { + if _, ok := nsCopy.Labels[typeLabel]; ok { + delete(nsCopy.Labels, typeLabel) + changed = true + } + if _, ok := nsCopy.Labels[versionLabel]; ok { + delete(nsCopy.Labels, versionLabel) + changed = true + } + } + } else { + for typeLabel, versionLabel := range map[string]string{ + psapi.WarnLevelLabel: psapi.WarnVersionLabel, + psapi.AuditLevelLabel: psapi.AuditVersionLabel, + } { + if ns.Labels[typeLabel] != string(psaLevel) || ns.Labels[versionLabel] != currentPSaVersion { + changed = true + if nsCopy.Labels == nil { + nsCopy.Labels = map[string]string{} + } + + nsCopy.Labels[typeLabel] = string(psaLevel) + nsCopy.Labels[versionLabel] = currentPSaVersion + } } } diff --git a/vendor/modules.txt b/vendor/modules.txt index 81e9f3a2c23..37033e67521 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -863,7 +863,7 @@ github.com/openshift/client-go/user/informers/externalversions/internalinterface github.com/openshift/client-go/user/informers/externalversions/user github.com/openshift/client-go/user/informers/externalversions/user/v1 github.com/openshift/client-go/user/listers/user/v1 -# github.com/openshift/cluster-policy-controller v0.0.0-20230220142510-a78a00b3632f +# github.com/openshift/cluster-policy-controller v0.0.0-20230227104154-139ac0499ac4 ## explicit; go 1.19 github.com/openshift/cluster-policy-controller/pkg/client/genericinformers github.com/openshift/cluster-policy-controller/pkg/cmd/cluster-policy-controller