buildservice-autocommit accepted request 705961 from Factory Maintainer (factory-maintainer) almost 5 years ago (revision 377)

baserev update by copy to link target

• Files Changed
• Browse Source

Containers Team (containersteam) committed about 5 years ago (revision 376)

new commit from concourse: Commit bb22844 by Alvaro Saurin alvaro.saurin@gmail.com
 Synchronize everythihg before starting an orchestration. Replace all the
 `mine.get` calls by the more compact `get_with_expr` function.
 
 bsc#1124784
 
 Signed-off-by: Alvaro Saurin <alvaro.saurin@gmail.com>

• Files Changed
• Browse Source

Containers Team (containersteam) committed about 5 years ago (revision 375)

new commit from concourse: Commit b0a79f7 by Nirmoy Das ndas@suse.de
 cilium: add repo for cilium
 
 Signed-off-by: Nirmoy Das <ndas@suse.de>

• Files Changed
• Browse Source

Containers Team (containersteam) committed about 5 years ago (revision 374)

new commit from concourse: Commit 0fcce23 by Alvaro Saurin alvaro.saurin@gmail.com
 When using file.managed, create a temporary file that is in /tmp instead of
 using the same directory the target file is. This fixes some problems with
 programs/daemons that could be monitoring that directory.
 
 bsc#1123716
 
 Signed-off-by: Alvaro Saurin <alvaro.saurin@gmail.com>

• Files Changed
• Browse Source

Containers Team (containersteam) committed about 5 years ago (revision 373)

new commit from concourse: Commit e49af82 by Markos Chandras mchandras@suse.de
 Jenkinsfile: Update repository information for jenkins-library

• Files Changed
• Browse Source

Containers Team (containersteam) committed about 5 years ago (revision 372)

new commit from concourse: Commit 1e20516 by Florian Bergmann fbergmann@suse.de
 Add a dummy state to not have an empty state in an orchestration
 
 This is a workaround for https://github.com/saltstack/salt/issues/14553 when
 upgrading crio 1.9 to 1.10.

• Files Changed
• Browse Source

Containers Team (containersteam) committed about 5 years ago (revision 371)

new commit from concourse: Commit c67d8f9 by dmaiocchi dmaiocchi@suse.com
 Improve states stability
 
 - caasp_etcd.healthy function can fail even if the etcd cluster is
 healty: adding a retry is better solution for avoding false-failure
 during orchs.
 
 - add caasp_service for kubeapi-server.service, with this we are
 checking 10 times that the service is running in a row.
 ( having service.running only can cause false failures)
 
 - fixed some indentation around states.

• Files Changed
• Browse Source

Containers Team (containersteam) committed about 5 years ago (revision 370)

new commit from concourse: Commit 9c06818 by Florian Bergmann fbergmann@suse.de
 Use iteritems from six import for python2/3 compatibility.
 
 Fixes bsc#1123497
 
 Commit 1b21219 by Florian Bergmann fbergmann@suse.de
 Fix python3 iteration over dictionary.
 
 In python3 python prevents modifying the dictionary that is iterated over.
 
 Instead of modifying the dictionary a new one is constructed instead.
 
 Fixes bsc#1123497

• Files Changed
• Browse Source

Containers Team (containersteam) committed about 5 years ago (revision 369)

new commit from concourse: Commit 78435fc by Jordi Massaguer Pla jmassaguerpla@suse.de
 use caasp v4 images from SUSE Registry

• Files Changed
• Browse Source

Containers Team (containersteam) committed about 5 years ago (revision 368)

new commit from concourse: Commit b3b4568 by Markos Chandras mchandras@suse.de
 Jenkinsfile: Switch to dynamic library fetching and drop branch
 
 Instead of having the library hardcoded to Jenkins master, we can fetch it
 dynamically. We also drop the usage of library branches since it does not
 make sense to maintain such a thing in the CI. The master branch should be
 able to handle both development and release branches.

• Files Changed
• Browse Source

Containers Team (containersteam) committed about 5 years ago (revision 367)

new commit from concourse: Commit 4280cf4 by Maximilian Meister mmeister@suse.de
 update critical pod configuration
 
 https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/
 
 bsc#1122783
 
 Signed-off-by: Maximilian Meister <mmeister@suse.de>

• Files Changed
• Browse Source

Containers Team (containersteam) committed about 5 years ago (revision 366)

new commit from concourse: Commit 32d6dbe by Maximilian Meister mmeister@suse.de
 [bsc#1125095] deployment timeout not correctly configured
 
 instead of setting the timeout we were only setting the retries which causes
 the timeout to be prolonged too much
 
 Signed-off-by: Maximilian Meister <mmeister@suse.de>

• Files Changed
• Browse Source

Containers Team (containersteam) committed about 5 years ago (revision 365)

new commit from concourse: Commit a5d00a8 by Florian Bergmann fbergmann@suse.de
 Force basename on the system certificate name to prevent path traversal

• Files Changed
• Browse Source

Containers Team (containersteam) committed about 5 years ago (revision 364)

new commit from concourse: Commit 4f75ad3 by Rafael Fernández López ereslibre@ereslibre.es
 Make nodename appear first on the /etc/hosts file
 
 Salt will pick the first name on the current default interface to determine
 the hostname of the machine. Since we are sorting with all entries for each
 machine there's a high change that a salt minion id will win the first
 position, affecting certain grains that we use to determine the hostname of
 the node.
 
 Fixes: bsc#1117339

• Files Changed
• Browse Source

Containers Team (containersteam) committed about 5 years ago (revision 363)

new commit from concourse: Commit d0d4384 by Michal Jura mjura@suse.com
 Enable kube-apiserver authentication to the kubelet (bsc#1121146)
 
 Kube-apiserver should authenticate to the kubelet with a client certificate
 and key. This is configured with the --kubelet-client-certificate and
 --kubelet-client-key flags provided to the API server. Kubelet has to be
 started with the --client-ca-file flag or clientCAFile option in
 kubelet-config.yaml file, this is providing a CA bundle to verify client
 certificates with.
 
 (cherry picked from commit 6309fb22ae122db6e2db2705fe47c1f4ae939ffb)
 
 Commit 1b083a4 by Michal Jura mjura@suse.com
 Disable anonymous access to Kubelet API (bsc#1121146)
 
 (cherry picked from commit dd88fe82fa8a611db1593025b5c61818e7a61999)

• Files Changed
• Browse Source

Containers Team (containersteam) committed about 5 years ago (revision 362)

new commit from concourse: Commit 42c129a by Panos Georgiadis drpaneas@gmail.com
 Disable insecure port in kube-apiserver (bsc#1121148)
 
 _service kubernetes-salt.changes kubernetes-salt.spec master.tar.gz Fixes bnc#1121148 - Critical Security issue for KubeAPI
 Insecure API port exposed to all Master Node guest containers
 
 In older versions of Kubernetes, you could run kube-apiserver
 with an API port that does not have any protections around it.
 
 This PR disables insecure port by passing the --insecure-port=0
 
 In recent versions, this has been disabled by default with the
 intention of completely deprecating it
 
 (cherry picked from commit 01d91482e9a84b05b3b6eaec6a94b7b19ee74ee4)

• Files Changed
• Browse Source

Containers Team (containersteam) committed about 5 years ago (revision 361)

new commit from concourse: Commit cb017ed by Alvaro Saurin alvaro.saurin@gmail.com
 Use a writable directory for volume plugins Use the same volumes plugins
 directory for the controller-manager and the kubelet.
 
 bsc#1117942
 
 Signed-off-by: Alvaro Saurin <alvaro.saurin@gmail.com>

• Files Changed
• Browse Source

Containers Team (containersteam) committed about 5 years ago (revision 360)

new commit from concourse: Commit 8baefd4 by Panos Georgiadis drpaneas@gmail.com
 Run flannel in unprivileged mode (bsc#1121153 bsc#1121154)
 
 Fixes bsc#1121153 - High Security issue for Kubernetes: Flannel container
 runs in privileged mode
 
 This fix makes sure that flannel runs in unprivileged mode.
 
 This is done by changing the flannel manifests and also adding a new PSP
 policy that disables both privilege mode and privilege escallation.
 
 The new PSP activates 'NET_ADMIN' capability, hostNetwork and
 allowedHostPaths.
 
 _service kubernetes-salt.changes kubernetes-salt.spec master.tar.gz Fixes bsc#1121154 - High Security issue for Kubernetes: Flannel container
 has read/write access to /run, including docker.sock
 
 Change the path from '/run' into '/run/flannel'
 
 Co-authored-by: chentex <vzepedamas@suse.com>
 (cherry picked from commit 8216c9ce691c8174eb2fcd66a1a2fecc446ee106)

• Files Changed
• Browse Source

Containers Team (containersteam) committed about 5 years ago (revision 359)

new commit from concourse: Commit 9ceeeab by dmaiocchi dmaiocchi@suse.com
 Improve msg of healty function.
 
 Cluster is to generic, use etcd cluster instead

• Files Changed
• Browse Source

Containers Team (containersteam) committed about 5 years ago (revision 358)

new commit from concourse: Commit 8443e0d by Markos Chandras mchandras@suse.de
 Jenkinsfile: Use docker cmdline directly instead of k8s Jenkins plugin
 
 The tox and flake8 pipelines are the only ones which depend on the k8s
 Jenkins plugin. As such, we can use docker directly in order to be able to
 drop the plugin from the server. The nodelabel is hardcoded because it does
 not make much sense to make this configurable given everything happens on a
 container.

• Files Changed
• Browse Source