CC: Merge from main to CCv0, Aug 7th, 2023

fidencio · fidencio · commit 72b42d4e4740 · 2023-08-07T11:06:11.000+02:00
The usual weekly merge. Fixes: kata-containers#5741 Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
diff --git a/.ci/lib.sh b/.ci/lib.sh
@@ -6,6 +6,14 @@
 # SPDX-License-Identifier: Apache-2.0
 #
 
+# Ensure GOPATH set
+if command -v go > /dev/null; then
+	export GOPATH=${GOPATH:-$(go env GOPATH)}
+else
+	# if go isn't installed, set default location for GOPATH
+	export GOPATH="${GOPATH:-$HOME/go}"
+fi
+
 export KATA_KSM_THROTTLER=${KATA_KSM_THROTTLER:-no}
 export KATA_QEMU_DESTDIR=${KATA_QEMU_DESTDIR:-"/usr"}
 export KATA_ETC_CONFIG_PATH="/etc/kata-containers/configuration.toml"
@@ -36,14 +44,6 @@ export KATA_NET_TIMEOUT=30
 
 source /etc/os-release || source /usr/lib/os-release
 
-# Ensure GOPATH set
-if command -v go > /dev/null; then
-	export GOPATH=${GOPATH:-$(go env GOPATH)}
-else
-	# if go isn't installed, set default location for GOPATH
-	export GOPATH="${GOPATH:-$HOME/go}"
-fi
-
 # Support Golang 1.16.x.
 # By default in Golang >= 1.16 GO111MODULE is set to "on",
 # some subprojects in this repo may not support "go modules",
diff --git a/.ci/openshift-ci/smoke/http-server.yaml b/.ci/openshift-ci/smoke/http-server.yaml
@@ -18,4 +18,13 @@ spec:
         - containerPort: 8080
       command: ["python3"]
       args: [ "-m", "http.server", "8080"]
+      securityContext:
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+            - ALL
+        runAsNonRoot: true
+        runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
   runtimeClassName: kata-qemu
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-3.2.0-alpha3
+3.2.0-rc0
diff --git a/kata-webhook/deploy/webhook.yaml b/kata-webhook/deploy/webhook.yaml
@@ -41,6 +41,15 @@ spec:
             requests:
               cpu: "100m"
               memory: "250Mi"
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+                drop:
+                    - ALL
+            runAsNonRoot: true
+            runAsUser: 1000
+            seccompProfile:
+                type: RuntimeDefault
       volumes:
         - name: webhook-certs
           secret:
diff --git a/kata-webhook/webhook-check.sh b/kata-webhook/webhook-check.sh
@@ -57,6 +57,15 @@ check_working() {
 	      image: quay.io/prometheus/busybox:latest
 	      command: ["echo", "Hello Webhook"]
 	      imagePullPolicy: IfNotPresent
+	      securityContext:
+	        allowPrivilegeEscalation: false
+	        capabilities:
+	          drop:
+	            - ALL
+	        runAsNonRoot: true
+	        runAsUser: 1000
+	        seccompProfile:
+	          type: RuntimeDefault
 	EOF
 	local class_name=$(kubectl get -n ${WEBHOOK_NS} \
 		-o jsonpath='{.spec.runtimeClassName}' pod/${hello_pod})
