🔥 Apply carried patches.

.ko.yaml

@@ -1,3 +1,5 @@
 # Use :nonroot base image for all containers
+defaultBaseImage: registry.access.redhat.com/ubi8/ubi-minimal:latest
 baseImageOverrides:
+  knative.dev/serving/test/test_images/runtime: gcr.io/distroless/static:nonroot
   knative.dev/serving/vendor/github.com/tsenart/vegeta/v12: ubuntu:latest

config/core/200-roles/config-map-view-downstream.yaml

@@ -0,0 +1,25 @@
+# Extra role for downstream, so that users can get the autoscaling CM to fetch defaults.
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  namespace: knative-serving
+  name: openshift-serverless-view-serving-configmaps
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    resourceNames: ["config-autoscaler"]
+    verbs: ["get", "list", "watch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: openshift-serverless-view-serving-configmaps
+  namespace: knative-serving
+subjects:
+  - kind: Group
+    name: system:authenticated
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: openshift-serverless-view-serving-configmaps

config/core/deployments/activator-hpa.yaml

@@ -50,7 +50,7 @@ metadata:
     app.kubernetes.io/name: knative-serving
     app.kubernetes.io/version: devel
 spec:
-  minAvailable: 80%
+  minAvailable: 1
   selector:
     matchLabels:
       app: activator

config/core/deployments/webhook-hpa.yaml

@@ -48,7 +48,7 @@ metadata:
     app.kubernetes.io/name: knative-serving
     app.kubernetes.io/version: devel
 spec:
-  minAvailable: 80%
+  minAvailable: 1
   selector:
     matchLabels:
       app: webhook

openshift/release/artifacts/serving-core.yaml

@@ -1,26 +1,4 @@
 ---
-# Copyright 2018 The Knative Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     https://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: knative-serving
-  labels:
-    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "release-v1.15"
----
 # Copyright 2023 The Knative Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -245,6 +223,32 @@ rules:
     verbs: ["delete"]
     resourceNames: ["knative-serving-certmanager"]
 ---
+# Extra role for downstream, so that users can get the autoscaling CM to fetch defaults.
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  namespace: knative-serving
+  name: openshift-serverless-view-serving-configmaps
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    resourceNames: ["config-autoscaler"]
+    verbs: ["get", "list", "watch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: openshift-serverless-view-serving-configmaps
+  namespace: knative-serving
+subjects:
+  - kind: Group
+    name: system:authenticated
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: openshift-serverless-view-serving-configmaps
+---
 # Copyright 2019 The Knative Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -8476,7 +8480,7 @@ metadata:
     app.kubernetes.io/name: knative-serving
     app.kubernetes.io/version: "release-v1.15"
 spec:
-  minAvailable: 80%
+  minAvailable: 1
   selector:
     matchLabels:
       app: activator
@@ -8968,7 +8972,7 @@ metadata:
     app.kubernetes.io/name: knative-serving
     app.kubernetes.io/version: "release-v1.15"
 spec:
-  minAvailable: 80%
+  minAvailable: 1
   selector:
     matchLabels:
       app: webhook

pkg/apis/serving/v1/revision_defaults.go

@@ -223,21 +223,14 @@ func (rs *RevisionSpec) defaultSecurityContext(psc *corev1.PodSecurityContext, c
 	if updatedSC.AllowPrivilegeEscalation == nil {
 		updatedSC.AllowPrivilegeEscalation = ptr.Bool(false)
 	}
-	if psc.SeccompProfile == nil || psc.SeccompProfile.Type == "" {
-		if updatedSC.SeccompProfile == nil {
-			updatedSC.SeccompProfile = &corev1.SeccompProfile{}
-		}
-		if updatedSC.SeccompProfile.Type == "" {
-			updatedSC.SeccompProfile.Type = corev1.SeccompProfileTypeRuntimeDefault
-		}
-	}
+
 	if updatedSC.Capabilities == nil {
 		updatedSC.Capabilities = &corev1.Capabilities{}
 		updatedSC.Capabilities.Drop = []corev1.Capability{"ALL"}
 		// Default in NET_BIND_SERVICE to allow binding to low-numbered ports.
 		needsLowPort := false
 		for _, p := range container.Ports {
-			if p.ContainerPort < 1024 {
+			if p.ContainerPort > 0 && p.ContainerPort < 1024 {
 				needsLowPort = true
 				break
 			}
@@ -246,11 +239,9 @@ func (rs *RevisionSpec) defaultSecurityContext(psc *corev1.PodSecurityContext, c
 			updatedSC.Capabilities.Add = []corev1.Capability{"NET_BIND_SERVICE"}
 		}
 	}
-
-	if psc.RunAsNonRoot == nil {
+	if psc.RunAsNonRoot == nil && updatedSC.RunAsNonRoot == nil {
 		updatedSC.RunAsNonRoot = ptr.Bool(true)
 	}
-
 	if *updatedSC != (corev1.SecurityContext{}) {
 		container.SecurityContext = updatedSC
 	}

pkg/apis/serving/v1/revision_defaults_test.go

@@ -934,11 +934,8 @@ func TestRevisionDefaulting(t *testing.T) {
 						ReadinessProbe: defaultProbe,
 						Resources:      defaultResources,
 						SecurityContext: &corev1.SecurityContext{
-							RunAsNonRoot:             ptr.Bool(true),
 							AllowPrivilegeEscalation: ptr.Bool(false),
-							SeccompProfile: &corev1.SeccompProfile{
-								Type: corev1.SeccompProfileTypeRuntimeDefault,
-							},
+							RunAsNonRoot:             ptr.Bool(true),
 							Capabilities: &corev1.Capabilities{
 								Drop: []corev1.Capability{"ALL"},
 								Add:  []corev1.Capability{"NET_BIND_SERVICE"},
@@ -948,11 +945,8 @@ func TestRevisionDefaulting(t *testing.T) {
 						Name:      "sidecar",
 						Resources: defaultResources,
 						SecurityContext: &corev1.SecurityContext{
-							RunAsNonRoot:             ptr.Bool(true),
 							AllowPrivilegeEscalation: ptr.Bool(false),
-							SeccompProfile: &corev1.SeccompProfile{
-								Type: corev1.SeccompProfileTypeRuntimeDefault,
-							},
+							RunAsNonRoot:             ptr.Bool(true),
 							Capabilities: &corev1.Capabilities{
 								Drop: []corev1.Capability{"ALL"},
 							},
@@ -961,11 +955,8 @@ func TestRevisionDefaulting(t *testing.T) {
 						Name:      "special-sidecar",
 						Resources: defaultResources,
 						SecurityContext: &corev1.SecurityContext{
-							RunAsNonRoot:             ptr.Bool(true),
 							AllowPrivilegeEscalation: ptr.Bool(true),
-							SeccompProfile: &corev1.SeccompProfile{
-								Type: corev1.SeccompProfileTypeRuntimeDefault,
-							},
+							RunAsNonRoot:             ptr.Bool(true),
 							Capabilities: &corev1.Capabilities{
 								Add:  []corev1.Capability{"NET_ADMIN"},
 								Drop: []corev1.Capability{},
@@ -975,12 +966,12 @@ func TestRevisionDefaulting(t *testing.T) {
 					InitContainers: []corev1.Container{{
 						Name: "special-init",
 						SecurityContext: &corev1.SecurityContext{
-							RunAsNonRoot:             ptr.Bool(true),
 							AllowPrivilegeEscalation: ptr.Bool(true),
 							SeccompProfile: &corev1.SeccompProfile{
 								Type:             corev1.SeccompProfileTypeLocalhost,
 								LocalhostProfile: ptr.String("special"),
 							},
+							RunAsNonRoot: ptr.Bool(true),
 							Capabilities: &corev1.Capabilities{
 								Add: []corev1.Capability{"NET_ADMIN"},
 							},
@@ -1038,8 +1029,8 @@ func TestRevisionDefaulting(t *testing.T) {
 						ReadinessProbe: defaultProbe,
 						Resources:      defaultResources,
 						SecurityContext: &corev1.SecurityContext{
-							RunAsNonRoot:             ptr.Bool(true),
 							AllowPrivilegeEscalation: ptr.Bool(false),
+							RunAsNonRoot:             ptr.Bool(true),
 							Capabilities: &corev1.Capabilities{
 								Drop: []corev1.Capability{"ALL"},
 							},
@@ -1048,8 +1039,8 @@ func TestRevisionDefaulting(t *testing.T) {
 					InitContainers: []corev1.Container{{
 						Name: "init",
 						SecurityContext: &corev1.SecurityContext{
-							RunAsNonRoot:             ptr.Bool(true),
 							AllowPrivilegeEscalation: ptr.Bool(false),
+							RunAsNonRoot:             ptr.Bool(true),
 							Capabilities: &corev1.Capabilities{
 								Drop: []corev1.Capability{"ALL"},
 							},

pkg/reconciler/revision/resources/queue.go

@@ -87,9 +87,6 @@ var (
 		Capabilities: &corev1.Capabilities{
 			Drop: []corev1.Capability{"ALL"},
 		},
-		SeccompProfile: &corev1.SeccompProfile{
-			Type: corev1.SeccompProfileTypeRuntimeDefault,
-		},
 	}
 )
 

pkg/reconciler/route/resources/service.go

@@ -60,10 +60,9 @@ func MakeK8sPlaceholderService(ctx context.Context, route *v1.Route, tagName str
 			ExternalName:    domainName,
 			SessionAffinity: corev1.ServiceAffinityNone,
 			Ports: []corev1.ServicePort{{
-				Name:        netapi.ServicePortNameH2C,
-				AppProtocol: &netapi.AppProtocolH2C,
-				Port:        int32(80),
-				TargetPort:  intstr.FromInt(80),
+				Name:       netapi.ServicePortNameH2C,
+				Port:       int32(80),
+				TargetPort: intstr.FromInt(80),
 			}},
 		},
 	}, nil
@@ -102,10 +101,9 @@ func MakeK8sService(ctx context.Context, route *v1.Route, tagName string, ingres
 			ObjectMeta: makeServiceObjectMeta(hostname, route),
 			Spec: corev1.ServiceSpec{
 				Ports: []corev1.ServicePort{{
-					Name:        netapi.ServicePortNameH2C,
-					AppProtocol: &netapi.AppProtocolH2C,
-					Port:        int32(80),
-					TargetPort:  intstr.FromInt(80),
+					Name:       netapi.ServicePortNameH2C,
+					Port:       int32(80),
+					TargetPort: intstr.FromInt(80),
 				}},
 			},
 		},
@@ -130,9 +128,8 @@ func MakeK8sService(ctx context.Context, route *v1.Route, tagName string, ingres
 					IP: balancer.IP,
 				}},
 				Ports: []corev1.EndpointPort{{
-					Name:        netapi.ServicePortNameH2C,
-					AppProtocol: &netapi.AppProtocolH2C,
-					Port:        int32(80),
+					Name: netapi.ServicePortNameH2C,
+					Port: int32(80),
 				}},
 			}},
 		}

pkg/reconciler/route/resources/service_test.go

@@ -54,10 +54,9 @@ var (
 	}
 
 	expectedPorts = []corev1.ServicePort{{
-		Name:        netapi.ServicePortNameH2C,
-		AppProtocol: &netapi.AppProtocolH2C,
-		Port:        int32(80),
-		TargetPort:  intstr.FromInt(80),
+		Name:       netapi.ServicePortNameH2C,
+		Port:       int32(80),
+		TargetPort: intstr.FromInt(80),
 	}}
 )
 
@@ -124,9 +123,8 @@ func TestMakeK8SService(t *testing.T) {
 				IP: "some-ip",
 			}},
 			Ports: []corev1.EndpointPort{{
-				Name:        netapi.ServicePortNameH2C,
-				AppProtocol: &netapi.AppProtocolH2C,
-				Port:        int32(80),
+				Name: netapi.ServicePortNameH2C,
+				Port: int32(80),
 			}},
 		}},
 	}, {
@@ -202,9 +200,8 @@ func TestMakeK8SService(t *testing.T) {
 				IP: "some-ip",
 			}},
 			Ports: []corev1.EndpointPort{{
-				Name:        netapi.ServicePortNameH2C,
-				AppProtocol: &netapi.AppProtocolH2C,
-				Port:        int32(80),
+				Name: netapi.ServicePortNameH2C,
+				Port: int32(80),
 			}},
 		}},
 	}, {
@@ -395,10 +392,9 @@ func TestMakePlaceholderService(t *testing.T) {
 				ExternalName:    tt.expectedExternalName,
 				SessionAffinity: corev1.ServiceAffinityNone,
 				Ports: []corev1.ServicePort{{
-					Name:        netapi.ServicePortNameH2C,
-					AppProtocol: &netapi.AppProtocolH2C,
-					Port:        int32(80),
-					TargetPort:  intstr.FromInt(80),
+					Name:       netapi.ServicePortNameH2C,
+					Port:       int32(80),
+					TargetPort: intstr.FromInt(80),
 				}},
 			}
 

pkg/reconciler/serverlessservice/resources/services.go

@@ -60,11 +60,10 @@ func MakePublicService(sks *v1alpha1.ServerlessService) *corev1.Service {
 
 func makePublicServicePorts(sks *v1alpha1.ServerlessService) []corev1.ServicePort {
 	ports := []corev1.ServicePort{{
-		Name:        pkgnet.ServicePortName(sks.Spec.ProtocolType),
-		Protocol:    corev1.ProtocolTCP,
-		AppProtocol: pkgnet.AppProtocol(sks.Spec.ProtocolType),
-		Port:        int32(pkgnet.ServicePort(sks.Spec.ProtocolType)),
-		TargetPort:  targetPort(sks),
+		Name:       pkgnet.ServicePortName(sks.Spec.ProtocolType),
+		Protocol:   corev1.ProtocolTCP,
+		Port:       int32(pkgnet.ServicePort(sks.Spec.ProtocolType)),
+		TargetPort: targetPort(sks),
 	}, {
 		// The HTTPS port is used when activator-ca is enabled.
 		// Although it is not used by default, we put it here as it should be harmless
@@ -145,10 +144,9 @@ func MakePrivateService(sks *v1alpha1.ServerlessService, selector map[string]str
 		},
 		Spec: corev1.ServiceSpec{
 			Ports: []corev1.ServicePort{{
-				Name:        pkgnet.ServicePortName(sks.Spec.ProtocolType),
-				Protocol:    corev1.ProtocolTCP,
-				AppProtocol: pkgnet.AppProtocol(sks.Spec.ProtocolType),
-				Port:        pkgnet.ServiceHTTPPort,
+				Name:     pkgnet.ServicePortName(sks.Spec.ProtocolType),
+				Protocol: corev1.ProtocolTCP,
+				Port:     pkgnet.ServiceHTTPPort,
 				// This one is matching the public one, since this is the
 				// port queue-proxy listens on.
 				TargetPort: targetPort(sks),