这是indexloc提供的服务,不要输入任何密码
Skip to content

Drop all capabilities from our pods #9973

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 28, 2020
Merged

Drop all capabilities from our pods #9973

merged 1 commit into from
Oct 28, 2020

Conversation

markusthoemmes
Copy link
Contributor

Proposed Changes

As per title, we don't seem to need any of the "extra" capabilities (i.e. we're not spawning sockets < 1024 etc.), so let's use the smallest surface area possible.

I'll check if this might be worth doing for the queue-proxy too.

Release Note

All of our deployments run with a minimal set of kernel capabilities.

/assign @julz @mattmoor

@google-cla google-cla bot added the cla: yes Indicates the PR's author has signed the CLA. label Oct 28, 2020
@knative-prow-robot knative-prow-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Oct 28, 2020
@knative-prow-robot knative-prow-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 28, 2020
mattmoor
mattmoor reviewed Oct 28, 2020
View reviewed changes
Copy link
Member

@mattmoor mattmoor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@knative-prow-robot knative-prow-robot added the lgtm Indicates that a PR is ready to be merged. label Oct 28, 2020
@codecov
Copy link

codecov bot commented Oct 28, 2020
edited
Loading

Codecov Report

Merging #9973 into master will increase coverage by 0.02%.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #9973      +/-   ##
==========================================
+ Coverage   87.78%   87.81%   +0.02%     
==========================================
  Files         183      183              
  Lines        8631     8631              
==========================================
+ Hits         7577     7579       +2     
+ Misses        803      801       -2     
  Partials      251      251
Impacted Files Coverage Δ
pkg/reconciler/configuration/configuration.go 86.71% <0.00%> (-1.57%) ⬇️
pkg/activator/net/revision_backends.go 91.40% <0.00%> (+0.90%) ⬆️
pkg/reconciler/autoscaling/kpa/scaler.go 90.00% <0.00%> (+1.42%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b30c3c1...ca63094. Read the comment docs.

julz
julz approved these changes Oct 28, 2020
View reviewed changes
Copy link
Member

@julz julz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@knative-prow-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: julz, markusthoemmes

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@knative-prow-robot knative-prow-robot merged commit 952a8e3 into knative:master Oct 28, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mattmoor mattmoor mattmoor left review comments

@julz julz julz approved these changes

@evankanderson evankanderson Awaiting requested review from evankanderson

@grantr grantr Awaiting requested review from grantr

Assignees

@julz julz

@mattmoor mattmoor

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cla: yes Indicates the PR's author has signed the CLA. lgtm Indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@markusthoemmes @knative-prow-robot @julz @mattmoor