cilium / cilium / 39186
39%

DEFAULT BRANCH: master
Ran
Jobs 3
Files 908
Run time 47min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 35.014% (-0.002%) from 35.016%
39186

push

travis-ci-com

aanm 
helm: Remove Unnecessary RBAC Permissions for Agent

In October 2020, we made changes[1] to the cilium-agent's
ClusterRole to be more permissive. We did this, because
Openshift enables[2] the OwnerReferencesPermissionEnforcement[3]
admission controller. This admissions controller prevents
changes to the metadata.ownerReferences of any object
unless the entity (the cilium-agent in this case) has
permission to delete the object as well. Furthermore,
the controller allows protects metadata.ownerReferences[x].blockOwnerDeletion
of a resource unless the entity (again, the cilium-agent) has
"update" access to the finalizer of the object having its
deletion blocked. The original PR mistakenly assumed we
set ownerReferences on pods and expanded cilium-agent's
permissions beyond what was necessary. Cilium-agent
only sets ownerReferences on a CiliumEndpoint and the
blockOwnerDeletion field propagates up to the "owning"
pod of the endpoint. Cilium-agent only needs to be able
to delete CiliumEndpoints (which it has always been able to)
and "update" pod/finalizers (to set the blockOwnerDeletion field
on CiliumEndpoints). All other changes contained in #13369
were unnecessary.

1 https://github.com/cilium/cilium/pull/13369
2 https://docs.openshift.com/container-platform/4.6/architecture/admission-plug-ins.html
3 https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement

Signed-off-by: Nate Sweet <nathanjsweet@pm.me>

44705 of 127677 relevant lines covered (35.01%)

6989.75 hits per line

Jobs
ID Job ID Ran Files Coverage
1 39186.1 0
35.01
 Travis Job 39186.1
2 39186.2 0
35.0
 Travis Job 39186.2
3 39186.3 (RACE=1 BASE_IMAGE=quay.io/cilium/cilium-runtime:514cbfc3fccb32fb67193b4b686f508b2fa26621@sha256:30cf45c1feadd04d367c446d0a3e3530d85be1b1e86f166f2862fdc09950f6a0 LOCKDEBUG=1) 0
35.02
 Travis Job 39186.3
Source Files on build 39186
Detailed source file information is not available for this build.