Page MenuHomePhabricator
Create Task
Maniphest T362978

Update all helm modules and charts to be compatible with the restricted PSS
Closed, ResolvedPublic
Actions

Description

We need to update all helm chart modules (and all charts ofc.) to be compatible with the restricted PSS profile.

As far as I can tell rn this is mostly adding a proper securityContext to all containers:

securityContext:
  allowPrivilegeEscalation: false
  capabilities:
     drop:
     - ALL
  runAsNonRoot: true
  seccompProfile:
    type: RuntimeDefault

There is another "update everything" task at: T346638: Rename the envoy's uses_ingress option to sets_sni to cross check for synergy effects...

Missing charts/deployments:

  • spark-operator @BTullis || @brouberol
  • mediawiki-dev (we probably don't really need to do this, but might be wise for consistency)
  • mediawiki

Details

SubjectRepoBranchLines +/-
k8s-controller-sidecars: adopt securityContextoperations/deployment-chartsmaster+22 -194
dse: Add securityContext to istio componentsoperations/deployment-chartsmaster+13 -0
ml: Add securityContext to istio componentsoperations/deployment-chartsmaster+17 -0
aux: Add securityContext to istio componentsoperations/deployment-chartsmaster+9 -0
Add securityContext to opentelemetry podsoperations/deployment-chartsmaster+9 -0
Add securityContext to istio componentsoperations/deployment-chartsmaster+9 -0
flink-app: Add securityContext to the flink containeroperations/deployment-chartsmaster+2 -1
cfssl-issuer: Add container securityContextoperations/deployment-chartsmaster+10 -3
mediawiki: enable securityContext everywhereoperations/deployment-chartsmaster+0 -19
mediawiki: add securityContext to all containers (attempt 2)operations/deployment-chartsmaster+208 -59
mw-on-k8s: extend envoy_cluster_name to new formatoperations/alertsmaster+3 -3
Revert "mediawiki: add securityContext to all containers"operations/deployment-chartsmaster+59 -198
mediawiki: add securityContext to all containersoperations/deployment-chartsmaster+198 -59
Revert "mediawiki: enable securityContext in all canaries"operations/deployment-chartsmaster+5 -15
mediawiki: enable securityContext in all canariesoperations/deployment-chartsmaster+15 -5
kserve-inference: add securityContext explicit configoperations/deployment-chartsmaster+17 -2
mediawiki-dev: add securityContext to all containersoperations/deployment-chartsmaster+22 -2
spark-operator: add securityContext to all containersoperations/deployment-chartsmaster+22 -5
toolhub: Add missing securityContext to CronJoboperations/deployment-chartsmaster+2 -1
Global update of test-service-checker templateoperations/deployment-chartsmaster+163 -64
kask: add securityContext to all containersoperations/deployment-chartsmaster+75 -6
eventstreams: add securityContext to all production containersoperations/deployment-chartsmaster+30 -13
mcrouter: Bump chart modulesoperations/deployment-chartsmaster+51 -29
shellbox: add securityContext to all containersoperations/deployment-chartsmaster+34 -14
flink-operator: add securityContextoperations/deployment-chartsmaster+12 -1
termbox: add securityContext to all containersoperations/deployment-chartsmaster+31 -13
calculator-service: add securityContext to all containersoperations/deployment-chartsmaster+250 -108
wikifeeds: ensure all containers have securityContextoperations/deployment-chartsmaster+26 -9
python-webapp: add securityContext to all containersoperations/deployment-chartsmaster+262 -115
machinetranslation: add securityContext to all containersoperations/deployment-chartsmaster+291 -126
developer-portal: add securityContext to all containersoperations/deployment-chartsmaster+266 -103
linkrecommendation: add securityContext to all containersoperations/deployment-chartsmaster+272 -108
toolhub: ensure all containers have securityContextoperations/deployment-chartsmaster+175 -85
datahub: add securityContext to all containersoperations/deployment-chartsmaster+1 K -1 K
flink-app: Update various modulesoperations/deployment-chartsmaster+286 -128
admin_ng: bump CPU resourcequota for protonoperations/deployment-chartsmaster+9 -1
proton: drop replicas from 12 to 10operations/deployment-chartsmaster+1 -1
datasets-config: add securityContext to all containersoperations/deployment-chartsmaster+141 -43
mpic: add securityContext to all containersoperations/deployment-chartsmaster+141 -43
echoserver: add securityContext to all containersoperations/deployment-chartsmaster+162 -49
spark-history: add securityContext to all containersoperations/deployment-chartsmaster+235 -114
mcrouter: add securityContext to all containersoperations/deployment-chartsmaster+48 -27
thumbor: add securityContext to all containersoperations/deployment-chartsmaster+287 -102
function-evaluator: ensure all containers have securityContextoperations/deployment-chartsmaster+29 -10
function-orchestrator: ensure all containers have securityContextoperations/deployment-chartsmaster+29 -10
push-notifications: add securityContext to all containersoperations/deployment-chartsmaster+144 -79
chromium-render: add securityContext to all containersoperations/deployment-chartsmaster+149 -82
miscweb: Update various modulesoperations/deployment-chartsmaster+277 -179
similar-users: add securityContext to all containersoperations/deployment-chartsmaster+159 -96
ipoid: ensure all containers have securityContextoperations/deployment-chartsmaster+201 -102
changeprop: add securityContext to all containersoperations/deployment-chartsmaster+27 -10
tegola-vector-tiles: Add securityContext and update dependenciesoperations/deployment-chartsmaster+270 -143
aqs-http-gateway: add securityContext to all containers (attempt 2)operations/deployment-chartsmaster+172 -79
aqs-http-gateway: no-op chart version bump after revertoperations/deployment-chartsmaster+1 -1
Revert "aqs-http-gateway: add securityContext to all containers"operations/deployment-chartsmaster+79 -172
aqs-http-gateway: add securityContext to all containersoperations/deployment-chartsmaster+172 -79
recommendation-api: add securityContextoperations/deployment-chartsmaster+140 -66
cxserver: add securityContext to all containersoperations/deployment-chartsmaster+31 -16
citoid: add securityContext to all containersoperations/deployment-chartsmaster+161 -96
mobileapps: Use mesh modules version enabling IPv6operations/deployment-chartsmaster+67 -19
zotero: Ensure containers have a securityContextoperations/deployment-chartsmaster+257 -139
benthos: adopt securityContext and base.external-services-networkpolicyoperations/deployment-chartsmaster+82 -26
blubberoid: add securityContext to all containersoperations/deployment-chartsmaster+24 -9
api-gateway: add securityContext to all containersoperations/deployment-chartsmaster+138 -71
apertium: add securityContext to all containersoperations/deployment-chartsmaster+25 -9
mathoid: add securityContext to all containersoperations/deployment-chartsmaster+151 -86
modules: Add restrictedSecurityContext to statsdoperations/deployment-chartsmaster+2 -2
New version of statds moduleoperations/deployment-chartsmaster+78 -0
eventgate: Add securityContext for all containersoperations/deployment-chartsmaster+24 -9
modules: Add restrictedSecurityContext to all containersoperations/deployment-chartsmaster+32 -7
Fix mcrouter module to work out of the box from scaffoldoperations/deployment-chartsmaster+42 -37
New module versionsoperations/deployment-chartsmaster+1 K -0
Show related patches Customize query in gerrit

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
gerritbot added a comment.May 29 2024, 11:06 PM

Change #1037196 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] chromium-render: add securityContext to all containers

https://gerrit.wikimedia.org/r/1037196

gerritbot added a comment.May 30 2024, 9:07 PM

Change #1037615 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] shellbox: add securityContext to all containers

https://gerrit.wikimedia.org/r/1037615

gerritbot added a comment.May 31 2024, 10:21 PM

Change #1037861 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] eventstreams: add securityContext to all production containers

https://gerrit.wikimedia.org/r/1037861

gerritbot added a comment.Jun 4 2024, 3:21 PM

Change #1030190 merged by jenkins-bot:

[operations/deployment-charts@master] changeprop: add securityContext to all containers

https://gerrit.wikimedia.org/r/1030190

gerritbot added a comment.Jun 5 2024, 8:50 AM

Change #1031105 merged by jenkins-bot:

[operations/deployment-charts@master] ipoid: ensure all containers have securityContext

https://gerrit.wikimedia.org/r/1031105

gerritbot added a comment.Jun 6 2024, 1:52 PM

Change #1039727 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] flink-app: Update various modules

https://gerrit.wikimedia.org/r/1039727

gerritbot added a comment.Jun 6 2024, 4:24 PM

Change #1037194 abandoned by Scott French:

[operations/deployment-charts@master] similar-users: add securityContext to all containers

Reason:

Turndown planned in https://phabricator.wikimedia.org/T345274

https://gerrit.wikimedia.org/r/1037194

gerritbot added a comment.Jun 7 2024, 11:59 AM

Change #1039727 merged by jenkins-bot:

[operations/deployment-charts@master] flink-app: Update various modules

https://gerrit.wikimedia.org/r/1039727

gerritbot added a comment.Jun 7 2024, 3:19 PM

Change #1032525 merged by jenkins-bot:

[operations/deployment-charts@master] miscweb: Update various modules

https://gerrit.wikimedia.org/r/1032525

gerritbot added a comment.Jun 7 2024, 3:56 PM

Change #1037196 merged by jenkins-bot:

[operations/deployment-charts@master] chromium-render: add securityContext to all containers

https://gerrit.wikimedia.org/r/1037196

gerritbot added a comment.Jun 7 2024, 5:05 PM

Change #1040220 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] admin_ng: bump CPU resourcequota for proton

https://gerrit.wikimedia.org/r/1040220

gerritbot added a comment.Jun 7 2024, 5:05 PM

Change #1040221 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] proton: drop replicas from 12 to 10

https://gerrit.wikimedia.org/r/1040221

gerritbot added a comment.Jun 10 2024, 7:18 AM

Change #1032519 merged by jenkins-bot:

[operations/deployment-charts@master] push-notifications: add securityContext to all containers

https://gerrit.wikimedia.org/r/1032519

gerritbot added a comment.Jun 10 2024, 7:19 AM

Change #1037163 merged by jenkins-bot:

[operations/deployment-charts@master] function-orchestrator: ensure all containers have securityContext

https://gerrit.wikimedia.org/r/1037163

gerritbot added a comment.Jun 10 2024, 7:19 AM

Change #1037162 merged by jenkins-bot:

[operations/deployment-charts@master] function-evaluator: ensure all containers have securityContext

https://gerrit.wikimedia.org/r/1037162

gerritbot added a comment.Jun 10 2024, 12:11 PM

Change #1041076 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] calculator-service: add securityContext to all containers

https://gerrit.wikimedia.org/r/1041076

gerritbot added a comment.Jun 10 2024, 1:13 PM

Change #1041070 merged by Brouberol:

[operations/deployment-charts@master] spark-history: add securityContext to all containers

https://gerrit.wikimedia.org/r/1041070

gerritbot added a comment.Jun 10 2024, 1:40 PM

Change #1041071 merged by Brouberol:

[operations/deployment-charts@master] echoserver: add securityContext to all containers

https://gerrit.wikimedia.org/r/1041071

gerritbot added a comment.Jun 10 2024, 1:54 PM

Change #1041119 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] datasets-config: add securityContext to all containers

https://gerrit.wikimedia.org/r/1041119

gerritbot added a comment.Jun 10 2024, 1:56 PM

Change #1041120 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] mpic: add securityContext to all containers

https://gerrit.wikimedia.org/r/1041120

gerritbot added a comment.Jun 10 2024, 2:15 PM

Change #1041120 merged by Brouberol:

[operations/deployment-charts@master] mpic: add securityContext to all containers

https://gerrit.wikimedia.org/r/1041120

gerritbot added a comment.Jun 10 2024, 2:15 PM

Change #1041119 merged by Brouberol:

[operations/deployment-charts@master] datasets-config: add securityContext to all containers

https://gerrit.wikimedia.org/r/1041119

gerritbot added a comment.Jun 10 2024, 2:28 PM

Change #1040221 merged by jenkins-bot:

[operations/deployment-charts@master] proton: drop replicas from 12 to 10

https://gerrit.wikimedia.org/r/1040221

gerritbot added a comment.Jun 10 2024, 2:37 PM

Change #1040220 merged by jenkins-bot:

[operations/deployment-charts@master] admin_ng: bump CPU resourcequota for proton

https://gerrit.wikimedia.org/r/1040220

gerritbot added a comment.Jun 10 2024, 3:33 PM

Change #1041161 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] flink-operator: add securityContext

https://gerrit.wikimedia.org/r/1041161

gerritbot added a comment.Jun 11 2024, 9:39 AM

Change #1037165 merged by jenkins-bot:

[operations/deployment-charts@master] toolhub: ensure all containers have securityContext

https://gerrit.wikimedia.org/r/1037165

gerritbot added a comment.Jun 11 2024, 9:47 AM

Change #1041049 merged by jenkins-bot:

[operations/deployment-charts@master] linkrecommendation: add securityContext to all containers

https://gerrit.wikimedia.org/r/1041049

gerritbot added a comment.Jun 11 2024, 9:50 AM

Change #1041039 merged by jenkins-bot:

[operations/deployment-charts@master] developer-portal: add securityContext to all containers

https://gerrit.wikimedia.org/r/1041039

gerritbot added a comment.Jun 11 2024, 10:19 AM

Change #1041055 merged by jenkins-bot:

[operations/deployment-charts@master] machinetranslation: add securityContext to all containers

https://gerrit.wikimedia.org/r/1041055

gerritbot added a comment.Jun 11 2024, 10:19 AM

Change #1041072 merged by jenkins-bot:

[operations/deployment-charts@master] python-webapp: add securityContext to all containers

https://gerrit.wikimedia.org/r/1041072

gerritbot added a comment.Jun 11 2024, 2:32 PM

Change #1037164 merged by jenkins-bot:

[operations/deployment-charts@master] wikifeeds: ensure all containers have securityContext

https://gerrit.wikimedia.org/r/1037164

gerritbot added a comment.Jun 11 2024, 2:51 PM

Change #1041076 merged by jenkins-bot:

[operations/deployment-charts@master] calculator-service: add securityContext to all containers

https://gerrit.wikimedia.org/r/1041076

gerritbot added a comment.Jun 11 2024, 3:32 PM

Change #1037193 merged by jenkins-bot:

[operations/deployment-charts@master] termbox: add securityContext to all containers

https://gerrit.wikimedia.org/r/1037193

gerritbot added a comment.Jun 12 2024, 9:30 AM

Change #1041161 merged by jenkins-bot:

[operations/deployment-charts@master] flink-operator: add securityContext

https://gerrit.wikimedia.org/r/1041161

gerritbot added a comment.Jun 12 2024, 10:05 AM

Change #1037615 merged by jenkins-bot:

[operations/deployment-charts@master] shellbox: add securityContext to all containers

https://gerrit.wikimedia.org/r/1037615

gerritbot added a comment.Jun 12 2024, 11:41 AM

Change #1038859 merged by jenkins-bot:

[operations/deployment-charts@master] mcrouter: Bump chart modules

https://gerrit.wikimedia.org/r/1038859

gerritbot added a comment.Jun 12 2024, 11:44 AM

Change #1037861 merged by jenkins-bot:

[operations/deployment-charts@master] eventstreams: add securityContext to all production containers

https://gerrit.wikimedia.org/r/1037861

gerritbot added a comment.Jun 12 2024, 12:05 PM

Change #1037195 merged by jenkins-bot:

[operations/deployment-charts@master] kask: add securityContext to all containers

https://gerrit.wikimedia.org/r/1037195

gerritbot added a comment.Jun 12 2024, 1:46 PM

Change #1042256 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] toolhub: Add missing securityContext to CronJob

https://gerrit.wikimedia.org/r/1042256

gerritbot added a comment.Jun 12 2024, 2:04 PM

Change #1032714 merged by jenkins-bot:

[operations/deployment-charts@master] Global update of test-service-checker template

https://gerrit.wikimedia.org/r/1032714

JMeybohm updated the task description. (Show Details)Jun 12 2024, 2:14 PM
JMeybohm added subscribers: brouberol, BTullis.
gerritbot added a comment.Jun 12 2024, 2:17 PM

Change #1042256 merged by jenkins-bot:

[operations/deployment-charts@master] toolhub: Add missing securityContext to CronJob

https://gerrit.wikimedia.org/r/1042256

gerritbot added a comment.Jun 13 2024, 12:58 AM

Change #1042440 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] mediawiki: add securityContext to all containers

https://gerrit.wikimedia.org/r/1042440

gerritbot added a comment.Jun 13 2024, 7:21 AM

Change #1042838 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] spark-operator: add securityContext to all containers

https://gerrit.wikimedia.org/r/1042838

gerritbot added a comment.Jun 13 2024, 9:35 AM

Change #1042838 merged by Brouberol:

[operations/deployment-charts@master] spark-operator: add securityContext to all containers

https://gerrit.wikimedia.org/r/1042838

brouberol updated the task description. (Show Details)Jun 13 2024, 9:37 AM
gerritbot added a comment.Jun 14 2024, 5:15 PM

Change #1043846 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] mediawiki-dev: add securityContext to all containers

https://gerrit.wikimedia.org/r/1043846

gerritbot added a comment.Jun 17 2024, 2:13 PM

Change #1043846 merged by jenkins-bot:

[operations/deployment-charts@master] mediawiki-dev: add securityContext to all containers

https://gerrit.wikimedia.org/r/1043846

gerritbot added a comment.Jun 17 2024, 2:28 PM

Change #1046692 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] mediawiki: enable securityContext in all canaries

https://gerrit.wikimedia.org/r/1046692

gerritbot added a comment.Jun 17 2024, 2:28 PM

Change #1046693 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] mediawiki: enable securityContext everywhere

https://gerrit.wikimedia.org/r/1046693

JMeybohm updated the task description. (Show Details)Jun 21 2024, 1:51 PM
gerritbot added a comment.Jun 24 2024, 11:23 AM

Change #1026954 merged by jenkins-bot:

[operations/deployment-charts@master] kserve-inference: add securityContext explicit config

https://gerrit.wikimedia.org/r/1026954

gerritbot added a comment.Jun 24 2024, 5:02 PM

Change #1042440 merged by jenkins-bot:

[operations/deployment-charts@master] mediawiki: add securityContext to all containers

https://gerrit.wikimedia.org/r/1042440

gerritbot added a comment.Jun 24 2024, 5:25 PM

Change #1046692 merged by jenkins-bot:

[operations/deployment-charts@master] mediawiki: enable securityContext in all canaries

https://gerrit.wikimedia.org/r/1046692

gerritbot added a comment.Jun 24 2024, 5:39 PM

Change #1049246 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] Revert "mediawiki: enable securityContext in all canaries"

https://gerrit.wikimedia.org/r/1049246

gerritbot added a comment.Jun 24 2024, 5:42 PM

Change #1049246 merged by jenkins-bot:

[operations/deployment-charts@master] Revert "mediawiki: enable securityContext in all canaries"

https://gerrit.wikimedia.org/r/1049246

gerritbot added a comment.Jun 24 2024, 5:45 PM

Change #1049248 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] Revert "mediawiki: add securityContext to all containers"

https://gerrit.wikimedia.org/r/1049248

gerritbot added a comment.Jun 24 2024, 6:01 PM

Change #1049248 merged by jenkins-bot:

[operations/deployment-charts@master] Revert "mediawiki: add securityContext to all containers"

https://gerrit.wikimedia.org/r/1049248

Scott_French added a comment.Jun 24 2024, 6:41 PM

Alright, first the good news: I was able to deploy the mediawiki changes to mw-debug and canary releases for one service (mw-api-int), and confirmed that (1) slow logs still work and (2) no obvious increase in error rates etc.

Now the less-good news: We appear to use the previously hard-coded "local_service" upstream cluster name in a number of dashboard and alerts, and alas that changes with newer versions of mesh.configuration.

Before moving forward, I'll need to audit / fix those.

gerritbot added a comment.Jun 24 2024, 7:58 PM

Change #1049260 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/alerts@master] mw-on-k8s: extend envoy_cluster_name to new format

https://gerrit.wikimedia.org/r/1049260

Scott_French added a comment.Jun 24 2024, 11:48 PM

I've manually updated prometheus queries that previously limited envoy_cluster_name to "local_service" to be compatible with the new naming scheme on the following MW-related dashboards:

  • SRE Service Operations > mw-on-k8s Overview
  • Service > MediaWiki on k8s
  • Service > mw-api-ext
  • Service > mw-api-int
  • Service > mw-jobrunner
  • Service > mw-parsoid
  • Service > mw-web

That's everything that comes to mind from a quick scan of "published" (non-draft) dashboards. @JMeybohm can you think of anything else that might need updated?

JMeybohm added a comment.Jun 25 2024, 7:50 AM
In T362978#9919727, @Scott_French wrote:

That's everything that comes to mind from a quick scan of "published" (non-draft) dashboards. @JMeybohm can you think of anything else that might need updated?

Not right away. You could use grafana-wtf (https://wikitech.wikimedia.org/wiki/Grafana#Search/audit_metrics_usage_across_dashboards) to search for remaining occurrences of this across all dashboards.

gerritbot added a comment.Jun 25 2024, 2:36 PM

Change #1049260 merged by jenkins-bot:

[operations/alerts@master] mw-on-k8s: extend envoy_cluster_name to new format

https://gerrit.wikimedia.org/r/1049260

Scott_French added a comment.Jun 25 2024, 4:31 PM

Ah, perfect! Thank you @JMeybohm - search-grafana-dashboards.js uncovered one more dashboard to migrate, and an older one that could be deleted (apple-search). I also decided to go ahead and update "mw on k8s - WIP ServiceOps" since it's easy to stumble upon by accident.

So, setting aside two personal / experimental dashboards (I'll ping the owners directly) I believe that should be everything.

gerritbot added a comment.Jun 25 2024, 5:11 PM

Change #1049607 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] mediawiki: add securityContext to all containers (attempt 2)

https://gerrit.wikimedia.org/r/1049607

gerritbot added a comment.Jun 27 2024, 5:09 PM

Change #1049607 merged by jenkins-bot:

[operations/deployment-charts@master] mediawiki: add securityContext to all containers (attempt 2)

https://gerrit.wikimedia.org/r/1049607

Stashbot added a comment.Jun 27 2024, 5:33 PM

Mentioned in SAL (#wikimedia-operations) [2024-06-27T17:33:26Z] <swfrench-wmf> canary deployments are healthy, slow-logs still produced, continuing with main deployments for T362978

gerritbot added a comment.Jun 27 2024, 5:36 PM

Change #1046693 merged by jenkins-bot:

[operations/deployment-charts@master] mediawiki: enable securityContext everywhere

https://gerrit.wikimedia.org/r/1046693

Stashbot added a comment.Jun 27 2024, 5:41 PM

Mentioned in SAL (#wikimedia-operations) [2024-06-27T17:41:30Z] <swfrench@deploy1002> Started scap: Deploying securityContext changes for T362978 to main release

Stashbot added a comment.Jun 27 2024, 5:45 PM

Mentioned in SAL (#wikimedia-operations) [2024-06-27T17:45:39Z] <swfrench@deploy1002> Finished scap: Deploying securityContext changes for T362978 to main release (duration: 04m 09s)

Scott_French added a comment.Jun 27 2024, 6:24 PM

mw-debug and canaries were updated around 17:23 UTC (alas, I hit enter before adding the message on that scap invocation) and main releases around 17:45. About 40m on, things continue to look good - general service health looks fine, slow-logs work, and dashboards picked up the envoy metrics with the change in cluster name.

Scott_French updated the task description. (Show Details)Jun 27 2024, 6:24 PM
JMeybohm added a comment.Jun 28 2024, 7:43 AM

Great news! I'd say that concludes this task. Thanks for all of the help and patience getting this over the finish line!

JMeybohm closed this task as Resolved.Jun 28 2024, 7:43 AM
gerritbot added a comment.Jul 1 2024, 11:58 AM

Change #1051111 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] cfssl-issuer: Add container securityContext

https://gerrit.wikimedia.org/r/1051111

gerritbot added a comment.Jul 1 2024, 12:08 PM

Change #1051111 merged by jenkins-bot:

[operations/deployment-charts@master] cfssl-issuer: Add container securityContext

https://gerrit.wikimedia.org/r/1051111

dcausse subscribed.Jul 1 2024, 1:19 PM

Hi I'm having issues with a flink job running in staging and failing to deploy with an error:
>>> Status | Error | DEPLOYED | {"type":"org.apache.flink.kubernetes.operator.exception.DeploymentFailedException","message":"pods \"flink-app-consumer-search-784bc9fd87-9n862\" is forbidden: violates PodSecurity \"restricted:latest\": allowPrivilegeEscalation != false (container \"flink-main-container\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"flink-main-container\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"flink-main-container\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"flink-main-container\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")","additionalMetadata":{"reason":"FailedCreate"},"throwableList":[]}

I wonder if it could be related to this task? Thanks!

JMeybohm reopened this task as Open.Jul 1 2024, 1:22 PM

Yes, kind of. What deploy command did you run (for me to reproduce)?

gerritbot added a comment.Jul 1 2024, 1:37 PM

Change #1051140 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] flink-app: Add securityContext to the flink container

https://gerrit.wikimedia.org/r/1051140

gerritbot added a comment.Jul 1 2024, 1:40 PM

Change #1051140 merged by jenkins-bot:

[operations/deployment-charts@master] flink-app: Add securityContext to the flink container

https://gerrit.wikimedia.org/r/1051140

JMeybohm added a comment.Jul 1 2024, 1:44 PM

FTR: It was the cirrus-streaming-updater depoyment in staging that failed. Looks like we missed adding the securityContext to the actual flink application container (we've done the envoy sidecar only).

JMeybohm closed this task as Resolved.Jul 1 2024, 2:43 PM
klausman closed subtask T368273: Roll out kserve-inference securityContext change to ML isvcs as Resolved.Jul 2 2024, 3:09 PM
gerritbot added a comment.Jul 3 2024, 8:10 AM

Change #1051685 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] Add securityContext to istio components

https://gerrit.wikimedia.org/r/1051685

gerritbot added a comment.Jul 3 2024, 8:24 AM

Change #1051685 merged by jenkins-bot:

[operations/deployment-charts@master] Add securityContext to istio components

https://gerrit.wikimedia.org/r/1051685

gerritbot added a comment.Jul 3 2024, 8:40 AM

Change #1051690 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] Add securityContext to opentelemetry pods

https://gerrit.wikimedia.org/r/1051690

Stashbot added a comment.Jul 3 2024, 8:53 AM

Mentioned in SAL (#wikimedia-operations) [2024-07-03T08:53:02Z] <jayme> deployed istio (adding securityContext) to wikikube clusters - T362978

gerritbot added a comment.Jul 3 2024, 8:54 AM

Change #1051690 merged by jenkins-bot:

[operations/deployment-charts@master] Add securityContext to opentelemetry pods

https://gerrit.wikimedia.org/r/1051690

gerritbot added a comment.Jul 8 2024, 10:39 AM

Change #1052700 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] aux: Add securityContext to istio components

https://gerrit.wikimedia.org/r/1052700

gerritbot added a comment.Jul 8 2024, 10:39 AM

Change #1052701 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] dse: Add securityContext to istio components

https://gerrit.wikimedia.org/r/1052701

gerritbot added a comment.Jul 8 2024, 10:39 AM

Change #1052702 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] ml: Add securityContext to istio components

https://gerrit.wikimedia.org/r/1052702

gerritbot added a comment.Jul 8 2024, 1:42 PM

Change #1052700 merged by Elukey:

[operations/deployment-charts@master] aux: Add securityContext to istio components

https://gerrit.wikimedia.org/r/1052700

gerritbot added a comment.Jul 15 2024, 12:39 PM

Change #1052702 merged by jenkins-bot:

[operations/deployment-charts@master] ml: Add securityContext to istio components

https://gerrit.wikimedia.org/r/1052702

gerritbot added a comment.Jul 22 2024, 8:09 AM

Change #1052701 merged by jenkins-bot:

[operations/deployment-charts@master] dse: Add securityContext to istio components

https://gerrit.wikimedia.org/r/1052701

Stashbot added a comment.Jul 22 2024, 8:17 AM

Mentioned in SAL (#wikimedia-analytics) [2024-07-22T08:17:06Z] <brouberol> deploy istio (adding securityContext) to dse-k8s-eqiad cluster - T362978

gerritbot added a comment.Aug 29 2024, 9:23 PM

Change #1068869 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] k8s-controller-sidecars: adopt securityContext

https://gerrit.wikimedia.org/r/1068869

gerritbot added a comment.Aug 30 2024, 2:53 PM

Change #1068869 merged by jenkins-bot:

[operations/deployment-charts@master] k8s-controller-sidecars: adopt securityContext

https://gerrit.wikimedia.org/r/1068869

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits