Fix allow privilege escalation#48
Merged
Merged
Conversation
Set AllowPrivilegeEscalation to true when enabling Privileged mode, as required by Kubernetes Pod Security Standards.
- Fix docker-buildx target missing build context in Makefile - Remove duplicate logger WithValues in controller (controller-runtime automatically adds controller, namespace, name, and reconcileID) - Change reconciliation to aggregate errors instead of fail-fast, allowing all adjustments to be attempted even if some components are missing - Standardize log messages to "Component: action" format with structured key-value pairs - Use V(1) debug level for no-op messages (when nothing changes) to reduce log noise during normal operation
Previously, ensureRole only checked if the role existed but didn't verify if the rules matched the desired state. If someone modified the role's rules, the operator wouldn't detect the drift. Now ensureRole compares existing rules with desired rules using reflect.DeepEqual and updates the role if they differ, matching the behavior of ensureRoleBinding.
The StatefulSet uses RollingUpdate strategy with partition=0, so Kubernetes handles pod rollouts automatically. Manual pod deletion to force updates is unnecessary and could interfere with the StatefulSet controller's rollout mechanism.
…ulSet patch The StatefulSet controller does not automatically roll out pod template changes when existing pods are unhealthy. After patching the StatefulSet with the exports-mask volume, pods running on old revisions continue to fail because they lack the required /exports mount. This function detects pods running on outdated revisions and deletes them, allowing the StatefulSet controller to create new pods with the correct spec.
- Fix pruneStatefulSetOldRevision to compare actual pod revision labels against desired UpdateRevision instead of trusting StatefulSet status. The status can report matching revisions even when pods run old revisions. - Add isNotFoundError helper to handle aggregate errors containing multiple NotFound errors, treating them as INFO instead of ERROR. - Fix handleError to return only Result (no error) to use fixed requeue interval instead of exponential backoff, ensuring predictable 1-minute retry when SDI components become available.
|
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #48 +/- ##
=========================================
Coverage ? 14.68%
=========================================
Files ? 10
Lines ? 919
Branches ? 0
=========================================
Hits ? 135
Misses ? 771
Partials ? 13
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.