cilium / cilium / 39186 / 3
39%
master: 39%

DEFAULT BRANCH: master
Ran
Files 908
Run time 4min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 35.016% (+0.01%) from 35.003%
RACE=1 BASE_IMAGE=quay.io/cilium/cilium-runtime:514cbfc3fccb32fb67193b4b686f508b2fa26621@sha256:30cf45c1feadd04d367c446d0a3e3530d85be1b1e86f166f2862fdc09950f6a0 LOCKDEBUG=1

push

travis-ci-com

aanm 
helm: Remove Unnecessary RBAC Permissions for Agent

In October 2020, we made changes[1] to the cilium-agent's
ClusterRole to be more permissive. We did this, because
Openshift enables[2] the OwnerReferencesPermissionEnforcement[3]
admission controller. This admissions controller prevents
changes to the metadata.ownerReferences of any object
unless the entity (the cilium-agent in this case) has
permission to delete the object as well. Furthermore,
the controller allows protects metadata.ownerReferences[x].blockOwnerDeletion
of a resource unless the entity (again, the cilium-agent) has
"update" access to the finalizer of the object having its
deletion blocked. The original PR mistakenly assumed we
set ownerReferences on pods and expanded cilium-agent's
permissions beyond what was necessary. Cilium-agent
only sets ownerReferences on a CiliumEndpoint and the
blockOwnerDeletion field propagates up to the "owning"
pod of the endpoint. Cilium-agent only needs to be able
to delete CiliumEndpoints (which it has always been able to)
and "update" pod/finalizers (to set the blockOwnerDeletion field
on CiliumEndpoints). All other changes contained in #13369
were unnecessary.

1 https://github.com/cilium/cilium/pull/13369
2 https://docs.openshift.com/container-platform/4.6/architecture/admission-plug-ins.html
3 https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement

Signed-off-by: Nate Sweet <nathanjsweet@pm.me>

44727 of 127732 relevant lines covered (35.02%)

2294.27 hits per line

Source Files on job 39186.3 (RACE=1 BASE_IMAGE=quay.io/cilium/cilium-runtime:514cbfc3fccb32fb67193b4b686f508b2fa26621@sha256:30cf45c1feadd04d367c446d0a3e3530d85be1b1e86f166f2862fdc09950f6a0 LOCKDEBUG=1)