BREAKING CHANGE: the controller container is now executed under 65534:65534 (userid:groupid). This change may break deployments that hard-coded the user name 'controller' in their PodSecurityPolicy.
Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
Further restricts the SecurityContext that the controller runs under, by enabling the default seccomp profile and dropping all linux capabilities.
This was set at container-level to ensure backwards compatibility with
use cases in which sidecars are injected into the source-controller pod
without setting less restrictive settings.
BREAKING CHANGE: The use of new seccomp API requires Kubernetes 1.19.
Co-authored-by: Sanskar Jaiswal <sanskar.jaiswal@weave.works>
Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
This configures ProxyOptions for all libgit2 Checkout functions when
cloning and configures the options based on current environment
settings using the git2go.ProxyTypeAuto option.
Refs: #131
Signed-off-by: Robert Clarke <rob@robertandrewclarke.com>
Co-authored-by: Aurélien GARNIER <aurelien.garnier@atos.net>
Refactor logic to install helper tools into one function in the
Makefile. Add support for envtest to help install tools like kubectl,
etcd which helps users run tests more conveniently.
Signed-off-by: Sanskar Jaiswal <sanskar.jaiswal@weave.works>
make verify is failing 'go mod tidy: go.mod file indicates go 1.16, but maximum supported version is 1.15' which indicates that the default go version on the runner is 1.15.
Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
Leverage libraries installed in base-debian11 (glibc, libssl and openssl)
therefore refrain from linking libc/libdl and ignore unresolved symbols
at build time.
Libssl had to be kept as the behaviour without it is not consistent across
all supported architectures.
Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
The statically linked binary has lingering dependencing to glibc, which
leads to errors at runtime when using distroless/static. One key culprit is libnss,
which is not available in static form through package managers.
In order to support distroless/static, glibc would have to be recompiled using
the --enable-static-nss flag, and the resulting libnss_{dns,files}.a would need
to be linked during the build process.
Due to the unnecessary complexity mentioned above, distroless/base is being used
instead.
Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
Adds an initial ATTRIBUTIONS.md file containing the open source
components that source-controller depends on, and their copyright
information.
Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
Due to the temporary file having a random suffix, it would result in
the notification-controller not rate limiting the messages as they
are "unique".
For the close error (which also makes use of the name), we keep the
information as it might be of importance to figure out why the close
failed.
Signed-off-by: Hidde Beydals <hello@hidde.co>
Sunny
Stefan Prodan
Paulo Gomes
Hidde Beydals
Robert Clarke
Kevin McDermott
Sanskar Jaiswal
Hidde Beydals
Tom Huang
Aurel Canciu