Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Makefile.version.aarch64.var
Original file line number Diff line number Diff line change
@@ -1 +1 @@
OCP_VERSION := 5.0.0-0.nightly-arm64-2026-07-02-035219
OCP_VERSION := 5.0.0-0.nightly-arm64-2026-07-06-035219
2 changes: 1 addition & 1 deletion Makefile.version.x86_64.var
Original file line number Diff line number Diff line change
@@ -1 +1 @@
OCP_VERSION := 5.0.0-0.nightly-2026-07-01-125918
OCP_VERSION := 5.0.0-0.nightly-2026-07-05-172708
2 changes: 1 addition & 1 deletion assets/components/multus/release-multus-aarch64.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"release": {
"base": "5.0.0-0.nightly-arm64-2026-07-02-035219"
"base": "5.0.0-0.nightly-arm64-2026-07-06-035219"
},
"images": {
"multus-cni-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:b2e551ce30a36b4bb1e26de7abd739b045767cef27e16e30d1add5cfc5acdcf5",
Expand Down
2 changes: 1 addition & 1 deletion assets/components/multus/release-multus-x86_64.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"release": {
"base": "5.0.0-0.nightly-2026-07-01-125918"
"base": "5.0.0-0.nightly-2026-07-05-172708"
},
"images": {
"multus-cni-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:6021b7fe340a630889ad00e43e237bb39289524ce6396cf3ae28b892ef9e5cd0",
Expand Down
107 changes: 102 additions & 5 deletions assets/components/openshift-router/deployment.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,7 @@
# Deployment with default values
#
# Methods hashableDeployment() and deploymentConfigChanged()
# must be updated when adding new fields to this manifest.
kind: Deployment
apiVersion: apps/v1
spec:
Expand All @@ -11,15 +14,83 @@ spec:
labels:
ingresscontroller.operator.openshift.io/deployment-ingresscontroller: default
spec:
# manually configure the service account, so we can configure it only in the router container.
automountServiceAccountToken: false
serviceAccountName: router
priorityClassName: system-cluster-critical
containers:
- name: router
shareProcessNamespace: true
initContainers:
- name: init-router
imagePullPolicy: IfNotPresent
terminationMessagePolicy: FallbackToLogsOnError
command: ["/bin/bash", "-c", "cp -R -p /var/lib/haproxy/* /mnt/config/"]
volumeMounts:
- mountPath: /mnt/config
name: haproxy-config
image: '{{ .ReleaseImage.haproxy_router }}'
Comment on lines +23 to +30

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Complete securityContext and resource limits for changed containers.

init-router has no securityContext/resources, and the changed HAProxy/router blocks only set partial hardening and requests. Add the required non-root/no-escalation/drop-capabilities settings and CPU/memory limits in the rebase source, then regenerate the asset.

As per path instructions, Kubernetes manifests require runAsNonRoot, readOnlyRootFilesystem, allowPrivilegeEscalation: false, dropping ALL capabilities, and resource limits on every container.

Also applies to: 65-68, 92-93, 253-256

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@assets/components/openshift-router/deployment.yaml` around lines 23 - 30, The
changed container specs are missing required hardening and resource limits,
especially the init-router initContainer and the HAProxy/router blocks. Update
the rebase source for the init-router and related container definitions to
include full securityContext settings (runAsNonRoot, readOnlyRootFilesystem,
allowPrivilegeEscalation: false, and dropping ALL capabilities) plus CPU/memory
limits for each container, then regenerate the asset so the manifest reflects
the hardened configuration.

Source: Path instructions

- name: haproxy
imagePullPolicy: IfNotPresent
restartPolicy: Always
securityContext:
# See https://bugzilla.redhat.com/2007246
allowPrivilegeEscalation: true
readOnlyRootFilesystem: false
readOnlyRootFilesystem: true
Comment on lines 34 to +37

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Do not enable privilege escalation in the restricted router pod.

allowPrivilegeEscalation: true conflicts with the restricted SCC annotation and the manifest hardening rules. If HAProxy truly requires this, use a narrowly scoped justification/SCC change; otherwise set it to false.

Proposed fix
-            allowPrivilegeEscalation: true
+            allowPrivilegeEscalation: false

As per coding guidelines, container manifests must flag allowPrivilegeEscalation: true; as per path instructions, Kubernetes manifests should use allowPrivilegeEscalation: false.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
securityContext:
# See https://bugzilla.redhat.com/2007246
allowPrivilegeEscalation: true
readOnlyRootFilesystem: false
readOnlyRootFilesystem: true
securityContext:
# See https://bugzilla.redhat.com/2007246
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@assets/components/openshift-router/deployment.yaml` around lines 34 - 37, The
container securityContext in the router deployment is enabling privilege
escalation, which conflicts with the restricted router pod requirements. Update
the securityContext for the HAProxy/router container to set
allowPrivilegeEscalation to false, and keep the existing readOnlyRootFilesystem
hardening in place. Use the securityContext block in the deployment manifest to
locate the change and ensure any exception would require an explicit SCC
justification elsewhere, not in this manifest.

Sources: Coding guidelines, Path instructions

terminationMessagePolicy: FallbackToLogsOnError
command: ["/var/lib/haproxy/start-haproxy"]
# admin.sock should follow routerHAProxyAdminSocket const
args: ["-W", "-db", "-S", "/var/lib/haproxy/run/admin.sock,mode,600", "-f", "/var/lib/haproxy/conf/haproxy.config"]
livenessProbe:
exec:
command: ["/bin/sh", "-c", "echo show version | socat - /var/lib/haproxy/run/haproxy.sock"]
failureThreshold: 3
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
terminationGracePeriodSeconds: 10
readinessProbe:
failureThreshold: 3
exec:
command: ["/bin/sh", "-c", "echo show version | socat - /var/lib/haproxy/run/haproxy.sock"]
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
startupProbe:
failureThreshold: 120
exec:
# admin.sock should follow routerHAProxyAdminSocket const
command: ["/bin/sh", "-c", "echo show version | socat - /var/lib/haproxy/run/admin.sock"]
periodSeconds: 1
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 100m
memory: 256Mi
volumeMounts:
- mountPath: /var/lib/haproxy
name: haproxy-config
- mountPath: /etc/pki/tls/private
name: default-certificate
readOnly: true
- mountPath: /var/run/configmaps/service-ca
name: service-ca-bundle
readOnly: true
{{- if .HttpErrorCodePages }}
- mountPath: /var/lib/haproxy/errorfiles
name: error-code-pages
readOnly: true
{{- end }}
{{- if and .AccessLoggingEnabled (not .AccessLoggingSyslogAddress) }}
- mountPath: /var/lib/rsyslog
name: rsyslog-socket
readOnly: false
{{- end }}
image: '{{ .ReleaseImage.haproxy_router }}'
containers:
- name: router
imagePullPolicy: IfNotPresent
securityContext:
readOnlyRootFilesystem: true
terminationMessagePolicy: FallbackToLogsOnError
env:
- name: ROUTER_SERVICE_NAMESPACE
Expand All @@ -28,6 +99,8 @@ spec:
value: /etc/pki/tls/private
- name: DEFAULT_DESTINATION_CA_PATH
value: /var/run/configmaps/service-ca/service-ca.crt
- name: ROUTER_HAPROXY_ADMIN_UNIX_SOCKET
value: /var/lib/haproxy/run/admin.sock
- name: STATS_PORT
value: "1936"
- name: RELOAD_INTERVAL
Expand Down Expand Up @@ -181,15 +254,20 @@ spec:
timeoutSeconds: 1
resources:
requests:
cpu: 100m
memory: 256Mi
cpu: 25m
memory: 64Mi
volumeMounts:
- mountPath: /var/lib/haproxy
name: haproxy-config
- mountPath: /etc/pki/tls/private
name: default-certificate
readOnly: true
- mountPath: /var/run/configmaps/service-ca
name: service-ca-bundle
readOnly: true
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access
readOnly: true
{{- if .ClientCAMapName }}
- mountPath: '{{ .ClientCAMountPath }}'
name: '{{ .ClientCAMapName}}'
Expand Down Expand Up @@ -254,6 +332,8 @@ spec:
secret:
defaultMode: 420
secretName: '{{ .ServingCertificateSecret }}'
- name: haproxy-config
emptyDir: {}
- name: service-ca-bundle
configMap:
defaultMode: 420
Expand All @@ -262,6 +342,23 @@ spec:
path: service-ca.crt
name: service-ca-bundle
optional: false
- name: kube-api-access
projected:
defaultMode: 0400
sources:
- serviceAccountToken:
expirationSeconds: 3600
path: token
- configMap:
name: kube-root-ca.crt
items:
- key: ca.crt
path: ca.crt
- downwardAPI:
Comment on lines +345 to +357

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the relevant manifest section with line numbers.
FILE="assets/components/openshift-router/deployment.yaml"
sed -n '300,410p' "$FILE" | cat -n

# Look for pod/container security context and any user/group settings.
rg -n "securityContext|runAsUser|runAsGroup|fsGroup|supplementalGroups|defaultMode|serviceAccountToken|kube-api-access" "$FILE"

# Find the router container image/user hints elsewhere in the repo.
rg -n "openshift-router|router.*user|runAsNonRoot|runAsUser|fsGroup" assets components pkg docs . -g '!vendor' -g '!deps' -g '!assets/optional/**'

Repository: openshift/microshift

Length of output: 37313


🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE="assets/components/openshift-router/deployment.yaml"

# Show the pod spec and the router container security context.
sed -n '1,120p' "$FILE" | cat -n

# Show the full volume block around kube-api-access.
sed -n '336,360p' "$FILE" | cat -n

# Show any explicit runAsUser/runAsGroup/fsGroup values in this manifest.
rg -n "runAsUser|runAsGroup|fsGroup|runAsNonRoot|securityContext" "$FILE"

Repository: openshift/microshift

Length of output: 6938


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the restricted SCC used by the router service account.
rg -n "name: restricted|fsGroup:|runAsUser:|supplementalGroups:|required-scc|router" assets/controllers/openshift-default-scc-manager assets/components/openshift-router -g '*.yaml'

# Show the router deployment section around the security context and mounts again.
sed -n '1,130p' assets/components/openshift-router/deployment.yaml | cat -n

# Show the restricted SCC snippet if present.
sed -n '1,120p' assets/controllers/openshift-default-scc-manager/0000_20_kube-apiserver-operator_00_scc-restricted.yaml | cat -n

Repository: openshift/microshift

Length of output: 1963


Use 420 for the kube-api-access projection

This pod has no runAsUser/fsGroup, so the restricted SCC’s non-root UID can’t read token/ca.crt with owner-read-only permissions. 420 matches the usual projected service-account token mode.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@assets/components/openshift-router/deployment.yaml` around lines 345 - 357,
The kube-api-access projected volume is using an owner-read-only default mode
that blocks the restricted SCC non-root UID from reading the projected token and
CA cert. Update the projected volume in the deployment manifest for
kube-api-access to use the standard service-account token permission mode of 420
instead of the current value so token and ca.crt remain readable without
runAsUser or fsGroup.

items:
- path: namespace
fieldRef:
fieldPath: metadata.namespace
{{- if .ClientCAMapName }}
- name: '{{ .ClientCAMapName }}'
configMap:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,10 @@
images:
- name: quay.io/operator-framework/olm
newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev
digest: sha256:1c3ea72a23f0d6c653061c5bd97aaa6a3f7e588418df67e1212302d07c331509
digest: sha256:31e2fe2c034f093af23939832086b85c3835b1d09dd06526152c333cbec80958
- name: quay.io/operator-framework/configmap-operator-registry
newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev
digest: sha256:076958253143ca66382d5065ba8bf257e0d56c84e7fede4d2e114870f99545f0
digest: sha256:07afe5617fdca7401d39b7a74792c496b5b9a6ccec72fe7398cf8bc6ff184b28
- name: quay.io/openshift/origin-kube-rbac-proxy
newName: quay.io/openshift-release-dev/ocp-v5.0-art-dev
digest: sha256:772437bdb01f7ed4523206fa6977cdd6b07bf86b1c7366b97dfc506a0d7ef614
Expand All @@ -16,12 +16,12 @@ patches:
path: /spec/template/spec/containers/0/env/-
value:
name: OPERATOR_REGISTRY_IMAGE
value: quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:076958253143ca66382d5065ba8bf257e0d56c84e7fede4d2e114870f99545f0
value: quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:07afe5617fdca7401d39b7a74792c496b5b9a6ccec72fe7398cf8bc6ff184b28
- op: add
path: /spec/template/spec/containers/0/env/-
value:
name: OLM_IMAGE
value: quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:1c3ea72a23f0d6c653061c5bd97aaa6a3f7e588418df67e1212302d07c331509
value: quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:31e2fe2c034f093af23939832086b85c3835b1d09dd06526152c333cbec80958
target:
kind: Deployment
labelSelector: app=catalog-operator
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"release": {
"base": "5.0.0-0.nightly-arm64-2026-07-02-035219"
"base": "5.0.0-0.nightly-arm64-2026-07-06-035219"
},
"images": {
"operator-lifecycle-manager": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:8c9a3c865644ccb53ab37ee161616ecccba2c1fb834f79675a64ce6874f2348e",
Expand Down
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
{
"release": {
"base": "5.0.0-0.nightly-2026-07-01-125918"
"base": "5.0.0-0.nightly-2026-07-05-172708"
},
"images": {
"operator-lifecycle-manager": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:1c3ea72a23f0d6c653061c5bd97aaa6a3f7e588418df67e1212302d07c331509",
"operator-registry": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:076958253143ca66382d5065ba8bf257e0d56c84e7fede4d2e114870f99545f0",
"operator-lifecycle-manager": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:31e2fe2c034f093af23939832086b85c3835b1d09dd06526152c333cbec80958",
"operator-registry": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:07afe5617fdca7401d39b7a74792c496b5b9a6ccec72fe7398cf8bc6ff184b28",
"kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:772437bdb01f7ed4523206fa6977cdd6b07bf86b1c7366b97dfc506a0d7ef614"
}
}
4 changes: 2 additions & 2 deletions assets/release/release-aarch64.json
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
{
"release": {
"base": "5.0.0-0.nightly-arm64-2026-07-02-035219"
"base": "5.0.0-0.nightly-arm64-2026-07-06-035219"
},
"images": {
"cli": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:c10d50cb3876b58d05cf3a8c651a96593b668c8c44f9a60aed4df15495188e55",
"coredns": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:7b8674c484522e90c92dd7701c2c7d6b8fa412e1ea9407eb4bee6cca26840af2",
"haproxy-router": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:40aeb4e2ff402d58295dc34e1817151ed4a9ad3af4576988d6608f66976b90d1",
"kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:a58d21128561488e87c8d5c9ed7a76c6406c412dc071aa5fcb9a33b1f74a3433",
"ovn-kubernetes-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:5c03ee82dd0efb3d5cc62c52225c38efcd0fbbf1aa1b4b8e7e8fe4cf701f1f85",
"ovn-kubernetes-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:aaabe7b8816bae6d0ba5901bb68bace83e9b4e792335f65c0ff323b38c570989",
"pod": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:e77470864ee29dcb7b4b33d76b700a1e76006b0c78d5fb15474c550b3cb8f9de",
"service-ca-operator": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:5476719db99b2dc909fe6bf8362b71479a14c43b938930ce011f66f663f5beea",
"lvms_operator": "registry.redhat.io/lvms4/lvms-rhel9-operator@sha256:e77365e44676fbd8ab9e4ce53f3a406856bbdfef3467c545a7df1197d84477af",
Expand Down
4 changes: 2 additions & 2 deletions assets/release/release-x86_64.json
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
{
"release": {
"base": "5.0.0-0.nightly-2026-07-01-125918"
"base": "5.0.0-0.nightly-2026-07-05-172708"
},
"images": {
"cli": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:f05e455da699c1ae675c26bd45e979f38bf7e57afb7c3c71ae4576221be69dc8",
"coredns": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:bda7069b8d610370dde4649f16439931dd9d9b84386dfd0706188718d037f8af",
"haproxy-router": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:fbbbddc10e6888e156a0b36b1e9751e8dc053de3e0203af7e014bf61b2ef5ac4",
"kube-rbac-proxy": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:772437bdb01f7ed4523206fa6977cdd6b07bf86b1c7366b97dfc506a0d7ef614",
"ovn-kubernetes-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:84c30ba6de3831698b6efba8b8fa347911f2cd3443ffb7e08286dd286fd7ba80",
"ovn-kubernetes-microshift": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:e99e72dc1b3d4efcbc87f5a163736bb2e4cabf8d653673f96044320b49cc37c5",
"pod": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:539080a9bef7f24561af6953d3e24e827dd1e5aa74311c77d93924c0b024419b",
"service-ca-operator": "quay.io/openshift-release-dev/ocp-v5.0-art-dev@sha256:cba3482d1c4d6acb0bafc88286dc117f880421fde1785b4c30b83166b2de4cd8",
"lvms_operator": "registry.redhat.io/lvms4/lvms-rhel9-operator@sha256:10c9ccab4f2857d113b55e12cac29aed0dc97d5a4e29ed2e4ea0f77551ee55f8",
Expand Down

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading