diff --git a/openshift/release/artifacts/serving-core.yaml b/openshift/release/artifacts/serving-core.yaml index 3249157b9436..34fa237e72d3 100644 --- a/openshift/release/artifacts/serving-core.yaml +++ b/openshift/release/artifacts/serving-core.yaml @@ -1892,16 +1892,6 @@ spec: url: description: URL is the URL of this DomainMapping. type: string - additionalPrinterColumns: - - name: URL - type: string - jsonPath: .status.url - - name: Ready - type: string - jsonPath: ".status.conditions[?(@.type=='Ready')].status" - - name: Reason - type: string - jsonPath: ".status.conditions[?(@.type=='Ready')].reason" names: kind: DomainMapping plural: domainmappings diff --git a/openshift/release/artifacts/serving-crds.yaml b/openshift/release/artifacts/serving-crds.yaml index 1e87c0d8e407..e6424cac06b1 100644 --- a/openshift/release/artifacts/serving-crds.yaml +++ b/openshift/release/artifacts/serving-crds.yaml @@ -1501,16 +1501,6 @@ spec: url: description: URL is the URL of this DomainMapping. type: string - additionalPrinterColumns: - - name: URL - type: string - jsonPath: .status.url - - name: Ready - type: string - jsonPath: ".status.conditions[?(@.type=='Ready')].status" - - name: Reason - type: string - jsonPath: ".status.conditions[?(@.type=='Ready')].reason" names: kind: DomainMapping plural: domainmappings diff --git a/pkg/apis/serving/v1/revision_defaults.go b/pkg/apis/serving/v1/revision_defaults.go index 4805f5b1fe35..48c439b4adea 100644 --- a/pkg/apis/serving/v1/revision_defaults.go +++ b/pkg/apis/serving/v1/revision_defaults.go @@ -184,21 +184,14 @@ func (rs *RevisionSpec) defaultSecurityContext(psc *corev1.PodSecurityContext, c if updatedSC.AllowPrivilegeEscalation == nil { updatedSC.AllowPrivilegeEscalation = ptr.Bool(false) } - if psc.SeccompProfile == nil || psc.SeccompProfile.Type == "" { - if updatedSC.SeccompProfile == nil { - updatedSC.SeccompProfile = &corev1.SeccompProfile{} - } - if updatedSC.SeccompProfile.Type == "" { - updatedSC.SeccompProfile.Type = corev1.SeccompProfileTypeRuntimeDefault - } - } + if updatedSC.Capabilities == nil { updatedSC.Capabilities = &corev1.Capabilities{} updatedSC.Capabilities.Drop = []corev1.Capability{"ALL"} // Default in NET_BIND_SERVICE to allow binding to low-numbered ports. needsLowPort := false for _, p := range container.Ports { - if p.ContainerPort < 1024 { + if p.ContainerPort > 0 && p.ContainerPort < 1024 { needsLowPort = true break } @@ -207,11 +200,9 @@ func (rs *RevisionSpec) defaultSecurityContext(psc *corev1.PodSecurityContext, c updatedSC.Capabilities.Add = []corev1.Capability{"NET_BIND_SERVICE"} } } - - if psc.RunAsNonRoot == nil { + if psc.RunAsNonRoot == nil && updatedSC.RunAsNonRoot == nil { updatedSC.RunAsNonRoot = ptr.Bool(true) } - if *updatedSC != (corev1.SecurityContext{}) { container.SecurityContext = updatedSC } diff --git a/pkg/apis/serving/v1/revision_defaults_test.go b/pkg/apis/serving/v1/revision_defaults_test.go index 52e4bbaaf0d9..401cac325fa9 100644 --- a/pkg/apis/serving/v1/revision_defaults_test.go +++ b/pkg/apis/serving/v1/revision_defaults_test.go @@ -900,7 +900,6 @@ func TestRevisionDefaulting(t *testing.T) { ReadinessProbe: defaultProbe, Resources: defaultResources, SecurityContext: &corev1.SecurityContext{ - RunAsNonRoot: ptr.Bool(true), AllowPrivilegeEscalation: ptr.Bool(false), RunAsNonRoot: ptr.Bool(true), Capabilities: &corev1.Capabilities{ @@ -912,7 +911,6 @@ func TestRevisionDefaulting(t *testing.T) { Name: "sidecar", Resources: defaultResources, SecurityContext: &corev1.SecurityContext{ - RunAsNonRoot: ptr.Bool(true), AllowPrivilegeEscalation: ptr.Bool(false), RunAsNonRoot: ptr.Bool(true), Capabilities: &corev1.Capabilities{ @@ -923,7 +921,6 @@ func TestRevisionDefaulting(t *testing.T) { Name: "special-sidecar", Resources: defaultResources, SecurityContext: &corev1.SecurityContext{ - RunAsNonRoot: ptr.Bool(true), AllowPrivilegeEscalation: ptr.Bool(true), RunAsNonRoot: ptr.Bool(true), Capabilities: &corev1.Capabilities{ @@ -935,7 +932,6 @@ func TestRevisionDefaulting(t *testing.T) { InitContainers: []corev1.Container{{ Name: "special-init", SecurityContext: &corev1.SecurityContext{ - RunAsNonRoot: ptr.Bool(true), AllowPrivilegeEscalation: ptr.Bool(true), SeccompProfile: &corev1.SeccompProfile{ Type: corev1.SeccompProfileTypeLocalhost, @@ -999,7 +995,6 @@ func TestRevisionDefaulting(t *testing.T) { ReadinessProbe: defaultProbe, Resources: defaultResources, SecurityContext: &corev1.SecurityContext{ - RunAsNonRoot: ptr.Bool(true), AllowPrivilegeEscalation: ptr.Bool(false), RunAsNonRoot: ptr.Bool(true), Capabilities: &corev1.Capabilities{ @@ -1010,7 +1005,6 @@ func TestRevisionDefaulting(t *testing.T) { InitContainers: []corev1.Container{{ Name: "init", SecurityContext: &corev1.SecurityContext{ - RunAsNonRoot: ptr.Bool(true), AllowPrivilegeEscalation: ptr.Bool(false), RunAsNonRoot: ptr.Bool(true), Capabilities: &corev1.Capabilities{ diff --git a/pkg/reconciler/revision/resources/queue.go b/pkg/reconciler/revision/resources/queue.go index 423f43dd09d8..01263613c74c 100644 --- a/pkg/reconciler/revision/resources/queue.go +++ b/pkg/reconciler/revision/resources/queue.go @@ -86,9 +86,6 @@ var ( Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, - SeccompProfile: &corev1.SeccompProfile{ - Type: corev1.SeccompProfileTypeRuntimeDefault, - }, } )