Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Limit /etc/pki directory appnet agent bind mount to iso regions #4448

Merged
merged 1 commit into from
Dec 6, 2024
Merged

Limit /etc/pki directory appnet agent bind mount to iso regions #4448

merged 1 commit into from
Dec 6, 2024

Conversation

sparrc
Copy link
Contributor

@sparrc sparrc commented Dec 5, 2024
edited
Loading

Summary

Followup to #4437

Limit the /etc/pki directory mount in the appnet agent container to isolated regions.

This ensures that commercial/us-gov/cn partitions are unaffected by this changed directory mount to limit blast radius.

A future PR may expand this change to more partitions as needed and tested.

Testing

New tests cover the changes: yes, unit tests

Description for the changelog

NA

Licensing

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@sparrc sparrc requested a review from a team as a code owner December 5, 2024 17:51
@sparrc sparrc force-pushed the sparrc-sc-pki-mount branch 5 times, most recently from 24a6b35 to ee9dc5f Compare December 5, 2024 18:58
@sparrc sparrc force-pushed the sparrc-sc-pki-mount branch from ee9dc5f to d19bf9c Compare December 5, 2024 19:56
@sparrc sparrc changed the title wip Limit /etc/pki directory appnet agent bind mount to iso regions Dec 5, 2024
sparrc
sparrc commented Dec 5, 2024
View reviewed changes
agent/engine/ordering_integ_test.go
@@ -161,6 +161,11 @@ func TestDependencyComplete(t *testing.T) {
// Container 'parent' depends on container 'dependency' to START. We ensure that the 'parent' container starts only
// after the 'dependency' container has started.
func TestDependencyStart(t *testing.T) {
// Skip these tests on WS 2016 until the failures are root-caused.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unrelated to this change, but the rest of this tests here are already skipped on WS 2016, adding this one because it is failing intermittently.

@sparrc sparrc added the bot/test label Dec 5, 2024
@sparrc sparrc merged commit 468fd49 into aws:dev Dec 6, 2024
40 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@danehlim danehlim danehlim approved these changes

@tinnywang tinnywang tinnywang approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@sparrc @tinnywang @danehlim @amazon-ecs-bot