Skip to content

CNTRLPLANE-1544: Use user namespace for the operator #397

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 10, 2025
Merged

CNTRLPLANE-1544: Use user namespace for the operator #397

merged 1 commit into from
Nov 10, 2025

Conversation

@tchap
Copy link
Contributor

@tchap tchap commented Sep 12, 2025
edited
Loading

The operator now uses hostUsers: false in the associated deployment.
All relevant user and group IDs are set to 1000.

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 12, 2025
@tchap
Copy link
Contributor Author

tchap commented Sep 15, 2025

/retest

@tchap tchap force-pushed the userns branch 7 times, most recently from 92693dd to b252943 Compare September 18, 2025 06:04
@tchap
Copy link
Contributor Author

tchap commented Sep 18, 2025

/retest

@tchap
Copy link
Contributor Author

tchap commented Sep 19, 2025

/retest

2 similar comments
@tchap
Copy link
Contributor Author

tchap commented Sep 22, 2025

/retest

@tchap
Copy link
Contributor Author

tchap commented Sep 29, 2025

/retest

@tchap tchap force-pushed the userns branch 3 times, most recently from 72cf759 to d5fd0f4 Compare October 2, 2025 05:53
@tchap
Copy link
Contributor Author

tchap commented Oct 2, 2025

/retest

@tchap tchap changed the title WIP: Use user namespaces for all deployments WIP: CNTRLPLANE-1544: Use user namespaces for all deployments Oct 6, 2025
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Oct 6, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Oct 6, 2025
edited by openshift-ci bot
Loading

@tchap: This pull request references CNTRLPLANE-1544 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.21.0" version, but no target version was set.

In response to this:

I am currently just researching user namespaces for future implementation, ignore this for now.

This goes for both the operator and the operand.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@tchap
Copy link
Contributor Author

tchap commented Oct 6, 2025

/jira refresh

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Oct 6, 2025
edited by openshift-ci bot
Loading

@tchap: This pull request references CNTRLPLANE-1544 which is a valid jira issue.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Oct 6, 2025
edited by openshift-ci bot
Loading

@tchap: This pull request references CNTRLPLANE-1544 which is a valid jira issue.

In response to this:

Use user namespaces for all deployments

This goes for both the operator and the operands.

All deployments now contain hostUsers: false.
The SC user and group IDs are set to 1000.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@tchap tchap changed the title WIP: CNTRLPLANE-1544: Use user namespaces for all deployments CNTRLPLANE-1544: Use user namespaces for all deployments Oct 6, 2025
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 6, 2025
@tchap tchap changed the title CNTRLPLANE-1544: Use user namespaces for all deployments CNTRLPLANE-1544: Use user namespace for the operator Oct 7, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Oct 7, 2025
edited by openshift-ci bot
Loading

@tchap: This pull request references CNTRLPLANE-1544 which is a valid jira issue.

In response to this:

The operator now uses hostUsers: false in the associated deployment.
All relevant user and group IDs are set to 1000.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@tchap tchap changed the title CNTRLPLANE-1544: Use user namespace for the operator WIP: CNTRLPLANE-1544: Use user namespace for the operator Oct 10, 2025
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 10, 2025
@tchap
Copy link
Contributor Author

tchap commented Oct 22, 2025

/retest

@ropatil010
Copy link

ropatil010 commented Oct 28, 2025

/retest

1 similar comment
@tchap
Copy link
Contributor Author

tchap commented Nov 3, 2025

/retest

@ropatil010
Copy link

ropatil010 commented Nov 4, 2025

/test e2e-upgrade

@tchap
manifests: Use user namespace for the operator
bbaad74 
The operator now uses hostUsers: false in the associated deployment.
All relevant user and group IDs are set to 1000.
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 4, 2025
edited
Loading

@tchap: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/openshift-e2e-aws-builds-techpreview 9cd9b4d link false /test openshift-e2e-aws-builds-techpreview

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@tchap
Copy link
Contributor Author

tchap commented Nov 6, 2025

Actually blocked by openshift/cluster-version-operator#1257

@tchap tchap changed the title WIP: CNTRLPLANE-1544: Use user namespace for the operator CNTRLPLANE-1544: Use user namespace for the operator Nov 7, 2025
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 7, 2025
@tchap
Copy link
Contributor Author

tchap commented Nov 7, 2025

/retest

tchap
tchap commented Nov 10, 2025
View reviewed changes
manifests/09_deployment.yaml
hostUsers: false
securityContext:
runAsNonRoot: true
runAsUser: 65534
Copy link
Contributor Author

@tchap tchap Nov 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is now set automatically by restricted-v3 to 1000.

@ingvagabund
Copy link
Member

ingvagabund commented Nov 10, 2025

/approve
/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Nov 10, 2025
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 10, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ingvagabund, tchap

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 10, 2025
@tchap
Copy link
Contributor Author

tchap commented Nov 10, 2025

/verified by ci/prow/e2e-aws-operator

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Nov 10, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Nov 10, 2025

@tchap: This PR has been marked as verified by ci/prow/e2e-aws-operator.

In response to this:

/verified by ci/prow/e2e-aws-operator

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-merge-bot openshift-merge-bot bot merged commit 12b7668 into openshift:master Nov 10, 2025
12 checks passed
@tchap tchap deleted the userns branch November 10, 2025 12:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@divyansh42 divyansh42 Awaiting requested review from divyansh42

@sayan-biswas sayan-biswas Awaiting requested review from sayan-biswas

Assignees

@ingvagabund ingvagabund

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tchap @openshift-ci-robot @ropatil010 @ingvagabund