)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":29982,"name":"Priya Shet","email":"priya.shet@gmail.com","username":"priyashet"},"change_message_id":"305cd0329d53c355da9bf055e6819edca1c47aa4","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"fc2831dd_ac9f7a2c","updated":"2021-11-03 05:21:36.000000000","message":"recheck","commit_id":"ebb15ec300b62528797926d8d9055a1462873b84"},{"author":{"_account_id":28719,"name":"Phil Sphicas","email":"phil.sphicas@att.com","username":"ps3910"},"change_message_id":"243f109e6338afa7bec269306e93bf502a58b877","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":4,"id":"5ef9de2c_fa3372d2","updated":"2021-11-03 18:13:13.000000000","message":"FYI, this has impact to the pod spec of the heat-domain-ks-user and heat-trustee-ks-user jobs, since they already have values defined:\n\nhttps://opendev.org/openstack/openstack-helm/src/branch/master/heat/values.yaml#L1063-L1065\n\nI don\u0027t know enough about those jobs to say whether it\u0027s a problem.\n\nIt\u0027s probably worth documenting (somewhere) the required values.yaml structure, and what needs to go where to make it work.\n\n  .pod.security_context.ks_user.pod - PodSecurityContext/v1 fields\n  .pod.security_context.ks_user.container.ks_user - SecurityContext/v1 fields\n\nIt might be nice to apply this in a uniform way to all the job manifests in helm-toolkit/template/manifests\n","commit_id":"b304d9ed986dfa76034f8fe5cafb237787af35cf"},{"author":{"_account_id":29982,"name":"Priya Shet","email":"priya.shet@gmail.com","username":"priyashet"},"change_message_id":"a7446aafd83d625b197debaf9f025c4075d96670","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":4,"id":"90bfdbc4_5ef3aa4f","in_reply_to":"49d7632a_db35ddf8","updated":"2021-11-03 19:09:23.000000000","message":"Thank you for the feedback , documented with comments.","commit_id":"b304d9ed986dfa76034f8fe5cafb237787af35cf"},{"author":{"_account_id":22636,"name":"Cliff Parsons","email":"cliffhparsons@aol.com","username":"cliffparsons"},"change_message_id":"8f8be5d02560057aab4a9de89b783d9b795f5d42","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":4,"id":"49d7632a_db35ddf8","in_reply_to":"5ef9de2c_fa3372d2","updated":"2021-11-03 18:43:40.000000000","message":"I looked at those heat jobs this morning. I don\u0027t see any impact to the heat-domain-ks-user job specifically because it doesn\u0027t use the ks_user job helm-toolkit manifest (the job is defined within the heat chart). However, you\u0027re right about the heat-trustee-ks-user job. If both jobs should have the same security context, then I\u0027d suggest changing the heat/values.yaml like this:\n\n  security_context:\n    ks_user:\n      pod:\n        runAsUser: 42424\n      container:\n        ks_user:\n          readOnlyRootFilesystem: true\n          allowPrivilegeEscalation: false\n\n...and change the \"heat_ks_domain_user\" container name to \"ks_user\" within heat/templates/job-ks-user-domain.yaml, to keep them consistent.  They can then draw from the same security context definition. If they need to be different, then we can create two separate defs in the heat/values.yaml.\n\nAnd I agree that this HTK function should be documented somewhere. (maybe in the same file, in comments with examples - I see that pattern in some of the snippets and other manifests).","commit_id":"b304d9ed986dfa76034f8fe5cafb237787af35cf"},{"author":{"_account_id":22636,"name":"Cliff Parsons","email":"cliffhparsons@aol.com","username":"cliffparsons"},"change_message_id":"020411232bdcc39cb9c47a28a1d93f6ddf021c87","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":4,"id":"ecc13851_a58702c0","in_reply_to":"90bfdbc4_5ef3aa4f","updated":"2021-11-04 15:51:22.000000000","message":"On further review, it looks like there will not be an actual impact (not causing a failure) to the heat-trustee-ks-user job...because the heat_ks_domain_user container name will just get ignored, and there won\u0027t be a container level security context applied (only pod level). But someone would need to go back and fix the job (separate PS) so that it has both the pod and container level security contexts.","commit_id":"b304d9ed986dfa76034f8fe5cafb237787af35cf"},{"author":{"_account_id":29982,"name":"Priya Shet","email":"priya.shet@gmail.com","username":"priyashet"},"change_message_id":"fecf96c3c8dc8e4360fc0b56c5d9880fddec5467","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"88407974_6a832925","updated":"2021-11-10 18:30:45.000000000","message":"recheck","commit_id":"fddbb0a0592084b7f18fbd287c8510d73bf33e1c"}]}