Skip to content

Revert fine-grained host paths for compliance mounts #3850

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
vikin91 merged 3 commits into from
Nov 18, 2022
Merged

Revert fine-grained host paths for compliance mounts #3850

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b67324d
X-Smart-Branch-Parent: master
robbycochran Nov 18, 2022
6fceb16
Revert "Fix collector volumeMounts (#3826)"
robbycochran Nov 18, 2022
c60a902
Revert "ROX-9350 Use fine-grained host paths for compliance mounts (#…
robbycochran Nov 18, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,6 @@ Please avoid adding duplicate information across this changelog and JIRA/doc inp
- ROX-13500: Previously, deployment YAML check on V1 CronJob workload would cause Central to panic. This is now fixed.
- `cves.ids` field of `storage.VulnerabilityRequest` object, which is in the response of `VulnerabilityRequestService` (`/v1/cve/requests/`) endpoints, has been renamed to `cves.cves`.
- ROX-13347: Vulnerability reporting scopes specifying cluster and/or namespace names now perform exact matches on those entities, as opposed to the erroneous prefix match.
- ROX-9350: The compliance container no longer mounts the entire host root to prevent a recursive mount of other pods' persistent volumes.

## [3.72.0]

Expand Down
89 changes: 13 additions & 76 deletions image/templates/helm/stackrox-secured-cluster/templates/collector.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ spec:
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /host/var/run/docker.sock
name: var-run-docker-sock-ro
name: var-run-docker-sock
readOnly: true
- mountPath: /host/proc
name: proc-ro
Expand Down Expand Up @@ -116,49 +116,16 @@ spec:
name: etc-ssl
- mountPath: /etc/pki/ca-trust/
name: etc-pki-volume
- mountPath: /host/etc
name: etc-ro
readOnly: true
- mountPath: /host/proc
name: proc-ro
readOnly: true
- mountPath: /host/opt
name: opt-ro
readOnly: true
- mountPath: /host/run
name: run-ro
readOnly: true
- mountPath: /host/srv
name: srv-ro
readOnly: true
- mountPath: /host/sys
name: sys-ro
readOnly: true
- mountPath: /host/usr
name: usr-ro
readOnly: true
- mountPath: /host/lib
name: lib-ro
readOnly: true
- mountPath: /host/var/lib/kubelet/kubeconfig
name: var-lib-kubelet-kubeconfig
readOnly: true
- mountPath: /host/var/lib/docker
name: var-lib-docker
readOnly: true
- mountPath: /host/var/lib/containers
name: var-lib-containers
readOnly: true
- mountPath: /host/var/log
name: var-log
readOnly: true
- mountPath: /host/var/run
name: var-run
- mountPath: /host
name: host-root-ro
readOnly: true
- mountPath: /run/secrets/stackrox.io/certs/
name: certs
readOnly: true
volumes:
- hostPath:
path: /var/run/docker.sock
name: var-run-docker-sock
- hostPath:
path: /proc
name: proc-ro
Expand All @@ -168,48 +135,15 @@ spec:
- hostPath:
path: /etc
name: etc-ro
- hostPath:
path: /sys
name: sys-ro
- hostPath:
path: /dev
name: dev-ro
- hostPath:
path: /opt
name: opt-ro
- hostPath:
path: /run
name: run-ro
- hostPath:
path: /srv
name: srv-ro
- hostPath:
path: /usr
name: usr-ro
- hostPath:
path: /usr/lib
name: usr-lib-ro
- hostPath:
path: /lib
name: lib-ro
- hostPath:
path: /var/lib/kubelet/kubeconfig
name: var-lib-kubelet-kubeconfig
- hostPath:
path: /var/lib/docker
name: var-lib-docker
- hostPath:
path: /var/lib/containers
name: var-lib-containers
- hostPath:
path: /var/log
name: var-log
- hostPath:
path: /var/run
name: var-run
path: /sys/
name: sys-ro
- hostPath:
path: /var/run/docker.sock
name: var-run-docker-sock-ro
path: /dev
name: dev-ro
- name: certs
secret:
secretName: collector-tls
Expand All @@ -220,6 +154,9 @@ spec:
path: key.pem
- key: ca.pem
path: ca.pem
- hostPath:
path: /
name: host-root-ro
- name: etc-ssl
emptyDir: {}
- name: etc-pki-volume
Expand Down