CORENET-6290: Restrict access to mounted secrets in ovnkube-control-plane

[bradbehle]

Improve security of ovnkube-control-plane by removing read-all access to the mounted secrets. I tested this change manually, updating the ovnkube-control-plane deployment to use non-root 1001 user id and to set all the mounted secrets to 0640, and it worked fine because that 1001 user is still in the root group, and the mounted secret files are all owned by user root and group root.

[openshift-ci-robot]

@bradbehle: This pull request references CORENET-6290 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

In response to this:

Improve security of ovnkube-control-plane by removing read-all access to the mounted secrets. I tested this change manually, updating the ovnkube-control-plane deployment to use non-root 1001 user id and to set all the mounted secrets to 0640, and it worked fine because that 1001 user is still in the root group, and the mounted secret files are all owned by user root and group root.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Hi @bradbehle. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[jeffnowicki]

/ok-to-test

[csrwng]

/lgtm

[rtheis]

/lgtm

[openshift-ci]

@rtheis: changing LGTM is restricted to collaborators

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[kyrtapz]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bradbehle, csrwng, kyrtapz, rtheis

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [kyrtapz]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 67399b9 and 2 for PR HEAD b74ac27 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 67399b9 and 2 for PR HEAD b74ac27 in total

[rtheis]

/retest-required

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 6688e9a and 2 for PR HEAD b74ac27 in total

[rtheis]

/retest-required

[rtheis]

/retest-required

[rtheis]

/retest-required

[kyrtapz]

/override e2e-metal-ipi-ovn-dualstack-bgp-local-gw
https://issues.redhat.com/browse/OCPBUGS-60455

[openshift-ci]

@kyrtapz: /override requires failed status contexts, check run or a prowjob name to operate on.
The following unknown contexts/checkruns were given:

• e2e-metal-ipi-ovn-dualstack-bgp-local-gw

Only the following failed contexts/checkruns were expected:

• ci/prow/4.20-upgrade-from-stable-4.19-e2e-aws-ovn-upgrade
• ci/prow/4.20-upgrade-from-stable-4.19-e2e-azure-ovn-upgrade
• ci/prow/4.20-upgrade-from-stable-4.19-e2e-gcp-ovn-upgrade
• ci/prow/4.20-upgrade-from-stable-4.19-images
• ci/prow/e2e-aws-hypershift-ovn-kubevirt
• ci/prow/e2e-aws-ovn-hypershift-conformance
• ci/prow/e2e-aws-ovn-local-to-shared-gateway-mode-migration
• ci/prow/e2e-aws-ovn-serial
• ci/prow/e2e-aws-ovn-serial-ipsec
• ci/prow/e2e-aws-ovn-shared-to-local-gateway-mode-migration
• ci/prow/e2e-aws-ovn-single-node
• ci/prow/e2e-aws-ovn-upgrade
• ci/prow/e2e-aws-ovn-upgrade-ipsec
• ci/prow/e2e-aws-ovn-windows
• ci/prow/e2e-azure-ovn
• ci/prow/e2e-azure-ovn-upgrade
• ci/prow/e2e-gcp-ovn
• ci/prow/e2e-gcp-ovn-upgrade
• ci/prow/e2e-metal-ipi-ovn-dualstack-bgp
• ci/prow/e2e-metal-ipi-ovn-dualstack-bgp-local-gw
• ci/prow/e2e-metal-ipi-ovn-ipv6
• ci/prow/e2e-metal-ipi-ovn-ipv6-ipsec
• ci/prow/e2e-network-mtu-migration-ovn-ipv4
• ci/prow/e2e-network-mtu-migration-ovn-ipv6
• ci/prow/e2e-openstack-ovn
• ci/prow/e2e-ovn-hybrid-step-registry
• ci/prow/e2e-ovn-ipsec-step-registry
• ci/prow/e2e-ovn-step-registry
• ci/prow/e2e-vsphere-ovn
• ci/prow/e2e-vsphere-ovn-dualstack
• ci/prow/hypershift-e2e-aks
• ci/prow/images
• ci/prow/lint
• ci/prow/okd-scos-e2e-aws-ovn
• ci/prow/okd-scos-images
• ci/prow/security
• ci/prow/unit
• ci/prow/verify
• ci/prow/verify-deps
• pull-ci-openshift-cluster-network-operator-master-4.20-upgrade-from-stable-4.19-e2e-aws-ovn-upgrade
• pull-ci-openshift-cluster-network-operator-master-4.20-upgrade-from-stable-4.19-e2e-azure-ovn-upgrade
• pull-ci-openshift-cluster-network-operator-master-4.20-upgrade-from-stable-4.19-e2e-gcp-ovn-upgrade
• pull-ci-openshift-cluster-network-operator-master-4.20-upgrade-from-stable-4.19-images
• pull-ci-openshift-cluster-network-operator-master-e2e-aws-hypershift-ovn-kubevirt
• pull-ci-openshift-cluster-network-operator-master-e2e-aws-ovn-hypershift-conformance
• pull-ci-openshift-cluster-network-operator-master-e2e-aws-ovn-local-to-shared-gateway-mode-migration
• pull-ci-openshift-cluster-network-operator-master-e2e-aws-ovn-serial
• pull-ci-openshift-cluster-network-operator-master-e2e-aws-ovn-serial-ipsec
• pull-ci-openshift-cluster-network-operator-master-e2e-aws-ovn-shared-to-local-gateway-mode-migration
• pull-ci-openshift-cluster-network-operator-master-e2e-aws-ovn-single-node
• pull-ci-openshift-cluster-network-operator-master-e2e-aws-ovn-upgrade
• pull-ci-openshift-cluster-network-operator-master-e2e-aws-ovn-upgrade-ipsec
• pull-ci-openshift-cluster-network-operator-master-e2e-aws-ovn-windows
• pull-ci-openshift-cluster-network-operator-master-e2e-azure-ovn
• pull-ci-openshift-cluster-network-operator-master-e2e-azure-ovn-upgrade
• pull-ci-openshift-cluster-network-operator-master-e2e-gcp-ovn
• pull-ci-openshift-cluster-network-operator-master-e2e-gcp-ovn-upgrade
• pull-ci-openshift-cluster-network-operator-master-e2e-metal-ipi-ovn-dualstack-bgp
• pull-ci-openshift-cluster-network-operator-master-e2e-metal-ipi-ovn-dualstack-bgp-local-gw
• pull-ci-openshift-cluster-network-operator-master-e2e-metal-ipi-ovn-ipv6
• pull-ci-openshift-cluster-network-operator-master-e2e-metal-ipi-ovn-ipv6-ipsec
• pull-ci-openshift-cluster-network-operator-master-e2e-network-mtu-migration-ovn-ipv4
• pull-ci-openshift-cluster-network-operator-master-e2e-network-mtu-migration-ovn-ipv6
• pull-ci-openshift-cluster-network-operator-master-e2e-openstack-ovn
• pull-ci-openshift-cluster-network-operator-master-e2e-ovn-hybrid-step-registry
• pull-ci-openshift-cluster-network-operator-master-e2e-ovn-ipsec-step-registry
• pull-ci-openshift-cluster-network-operator-master-e2e-ovn-step-registry
• pull-ci-openshift-cluster-network-operator-master-e2e-vsphere-ovn
• pull-ci-openshift-cluster-network-operator-master-e2e-vsphere-ovn-dualstack
• pull-ci-openshift-cluster-network-operator-master-hypershift-e2e-aks
• pull-ci-openshift-cluster-network-operator-master-images
• pull-ci-openshift-cluster-network-operator-master-lint
• pull-ci-openshift-cluster-network-operator-master-okd-scos-e2e-aws-ovn
• pull-ci-openshift-cluster-network-operator-master-okd-scos-images
• pull-ci-openshift-cluster-network-operator-master-security
• pull-ci-openshift-cluster-network-operator-master-unit
• pull-ci-openshift-cluster-network-operator-master-verify
• pull-ci-openshift-cluster-network-operator-master-verify-deps
• tide

If you are trying to override a checkrun that has a space in it, you must put a double quote on the context.

In response to this:

/override e2e-metal-ipi-ovn-dualstack-bgp-local-gw
https://issues.redhat.com/browse/OCPBUGS-60455

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[kyrtapz]

/override ci/prow/e2e-metal-ipi-ovn-dualstack-bgp-local-gw

[openshift-ci]

@kyrtapz: Overrode contexts on behalf of kyrtapz: ci/prow/e2e-metal-ipi-ovn-dualstack-bgp-local-gw

In response to this:

/override ci/prow/e2e-metal-ipi-ovn-dualstack-bgp-local-gw

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 6688e9a and 2 for PR HEAD b74ac27 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 6688e9a and 2 for PR HEAD b74ac27 in total

[kyrtapz]

/retest-required

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 6688e9a and 2 for PR HEAD b74ac27 in total

[kyrtapz]

/hold
We need to get #2752 in first.
I will unhold it once that is done and try to help merge this one quickly.

[kyrtapz]

/hold cancel

[kyrtapz]

/override ci/prow/e2e-metal-ipi-ovn-ipv6-ipsec
https://issues.redhat.com/browse/OCPBUGS-57665
https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_cluster-network-operator/2774/pull-ci-openshift-cluster-network-operator-master-e2e-metal-ipi-ovn-ipv6-ipsec/1957793181399519232

[openshift-ci]

@kyrtapz: Overrode contexts on behalf of kyrtapz: ci/prow/e2e-metal-ipi-ovn-ipv6-ipsec

In response to this:

/override ci/prow/e2e-metal-ipi-ovn-ipv6-ipsec
https://issues.redhat.com/browse/OCPBUGS-57665

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[kyrtapz]

This change is very specific to one deployment in hypershift.
Overriding the unrelated jobs to help unclog CI.

/override ci/prow/4.20-upgrade-from-stable-4.19-images
/override ci/prow/e2e-aws-ovn-upgrade
/override ci/prow/e2e-aws-ovn-upgrade-ipsec
/override ci/prow/e2e-aws-ovn-windows
/override ci/prow/e2e-azure-ovn-upgrade
/override ci/prow/e2e-gcp-ovn
/override ci/prow/e2e-gcp-ovn-upgrade
/override ci/prow/e2e-metal-ipi-ovn-dualstack-bgp
/override ci/prow/e2e-metal-ipi-ovn-dualstack-bgp-local-gw
/override ci/prow/e2e-metal-ipi-ovn-ipv6
/override ci/prow/e2e-ovn-ipsec-step-registry

[openshift-ci]

@kyrtapz: Overrode contexts on behalf of kyrtapz: ci/prow/4.20-upgrade-from-stable-4.19-images, ci/prow/e2e-aws-ovn-upgrade, ci/prow/e2e-aws-ovn-upgrade-ipsec, ci/prow/e2e-aws-ovn-windows, ci/prow/e2e-azure-ovn-upgrade, ci/prow/e2e-gcp-ovn, ci/prow/e2e-gcp-ovn-upgrade, ci/prow/e2e-metal-ipi-ovn-dualstack-bgp, ci/prow/e2e-metal-ipi-ovn-dualstack-bgp-local-gw, ci/prow/e2e-metal-ipi-ovn-ipv6, ci/prow/e2e-ovn-ipsec-step-registry

In response to this:

This change is very specific to one deployment in hypershift.
Overriding the unrelated jobs to help unclog CI.

/override ci/prow/4.20-upgrade-from-stable-4.19-images
/override ci/prow/e2e-aws-ovn-upgrade
/override ci/prow/e2e-aws-ovn-upgrade-ipsec
/override ci/prow/e2e-aws-ovn-windows
/override ci/prow/e2e-azure-ovn-upgrade
/override ci/prow/e2e-gcp-ovn
/override ci/prow/e2e-gcp-ovn-upgrade
/override ci/prow/e2e-metal-ipi-ovn-dualstack-bgp
/override ci/prow/e2e-metal-ipi-ovn-dualstack-bgp-local-gw
/override ci/prow/e2e-metal-ipi-ovn-ipv6
/override ci/prow/e2e-ovn-ipsec-step-registry

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 76c7185 and 1 for PR HEAD b74ac27 in total

[kyrtapz]

/override ci/prow/e2e-metal-ipi-ovn-dualstack-bgp

[openshift-ci]

@kyrtapz: Overrode contexts on behalf of kyrtapz: ci/prow/e2e-metal-ipi-ovn-dualstack-bgp

In response to this:

/override ci/prow/e2e-metal-ipi-ovn-dualstack-bgp

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[kyrtapz]

/override ci/prow/e2e-metal-ipi-ovn-ipv6-ipsec

[openshift-ci]

@kyrtapz: Overrode contexts on behalf of kyrtapz: ci/prow/e2e-metal-ipi-ovn-ipv6-ipsec

In response to this:

/override ci/prow/e2e-metal-ipi-ovn-ipv6-ipsec

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[rtheis]

/retest-required

[openshift-ci]

@bradbehle: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-hypershift-ovn-kubevirt	b74ac27	link	false	/test e2e-aws-hypershift-ovn-kubevirt
ci/prow/security	b74ac27	link	false	/test security
ci/prow/e2e-azure-ovn	b74ac27	link	false	/test e2e-azure-ovn
ci/prow/4.20-upgrade-from-stable-4.19-e2e-azure-ovn-upgrade	b74ac27	link	false	/test 4.20-upgrade-from-stable-4.19-e2e-azure-ovn-upgrade
ci/prow/e2e-aws-ovn-serial	b74ac27	link	false	/test e2e-aws-ovn-serial
ci/prow/okd-scos-e2e-aws-ovn	b74ac27	link	false	/test okd-scos-e2e-aws-ovn
ci/prow/4.20-upgrade-from-stable-4.19-e2e-aws-ovn-upgrade	b74ac27	link	false	/test 4.20-upgrade-from-stable-4.19-e2e-aws-ovn-upgrade
ci/prow/e2e-openstack-ovn	b74ac27	link	false	/test e2e-openstack-ovn
ci/prow/e2e-ovn-step-registry	b74ac27	link	false	/test e2e-ovn-step-registry

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 76c7185 and 2 for PR HEAD b74ac27 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 76c7185 and 2 for PR HEAD b74ac27 in total

[kyrtapz]

/override ci/prow/e2e-metal-ipi-ovn-dualstack-bgp-local-gw

[openshift-ci]

@kyrtapz: Overrode contexts on behalf of kyrtapz: ci/prow/e2e-metal-ipi-ovn-dualstack-bgp-local-gw

In response to this:

/override ci/prow/e2e-metal-ipi-ovn-dualstack-bgp-local-gw

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[kyrtapz]

/override ci/prow/e2e-aws-ovn-upgrade
https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_cluster-network-operator/2774/pull-ci-openshift-cluster-network-operator-master-e2e-aws-ovn-upgrade/1957922453418151936

[openshift-ci]

@kyrtapz: Overrode contexts on behalf of kyrtapz: ci/prow/e2e-aws-ovn-upgrade

In response to this:

/override ci/prow/e2e-aws-ovn-upgrade
https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_cluster-network-operator/2774/pull-ci-openshift-cluster-network-operator-master-e2e-aws-ovn-upgrade/1957922453418151936

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.