-
Notifications
You must be signed in to change notification settings - Fork 433
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pod security standards restricted defaults #9490
Pod security standards restricted defaults #9490
Conversation
…o into pod-security-standards
…o into pod-security-standards
…o into pod-security-standards
This reverts commit c7325a8.
…o into pod-security-standards
…hub.com/solo-io/gloo into pod-security-standards-retricted-defaults
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I haven't done the manual testing, but overall this passes the eye test
I'm hoping that indentation can be more consistent and/or that there can be an explanation for why it needs to be different in certain cases
install/helm/gloo/templates/14-clusteringress-proxy-deployment.yaml
Outdated
Show resolved
Hide resolved
Co-authored-by: Bernie Birnbaum <bewebi@earthlink.net>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated with PR feedback
install/helm/gloo/templates/14-clusteringress-proxy-deployment.yaml
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
I also did some of the local validation
Co-authored-by: Bernie Birnbaum <bewebi@earthlink.net>
* first round helm changes * gateway test secure helm * updates * Adding changelog file to new location * Deleting changelog file from old location * Update helm.yaml * update names * Update helm.yaml * Update helm.yaml * Update helm_test.go * refactor GetStructuredDeployment * Revert "refactor GetStructuredDeployment" This reverts commit c7325a8. * All the containers * generated * generate and k8s-utils * Update pod-security-standards.yaml * Update 7-gateway-proxy-deployment.yaml * Start of pod security defaults * Update pod-security-standards.yaml * updates * More container updates * steps - can;t apply defaults * Helm fixes and add to kube2e helm * whitespace cleanup * Update helm-override.yaml * tests * add seccompTypeValue * Update helm_test.go * Update pod-security-standards.yaml * Update pod-security-standards.yaml * Update pod-security-standards.yaml * Update _helpers.tpl * Update values.go * Adding changelog file to new location * Deleting changelog file from old location * Update _helpers.tpl * update template to take ".indent" argument * Update _helpers.tpl * generate * Update _helpers.tpl * Update _helpers.tpl * Update changelog/v1.17.0-beta29/pod-security-standards.yaml Co-authored-by: Bernie Birnbaum <bewebi@earthlink.net> * indenting includes * PR feedback * Update install/test/helm_test.go Co-authored-by: Bernie Birnbaum <bewebi@earthlink.net> --------- Co-authored-by: soloio-bulldozer[bot] <48420018+soloio-bulldozer[bot]@users.noreply.github.com> Co-authored-by: changelog-bot <changelog-bot> Co-authored-by: Bernie Birnbaum <bewebi@earthlink.net>
* Pod security standards restricted defaults (#9490) * first round helm changes * gateway test secure helm * updates * Adding changelog file to new location * Deleting changelog file from old location * Update helm.yaml * update names * Update helm.yaml * Update helm.yaml * Update helm_test.go * refactor GetStructuredDeployment * Revert "refactor GetStructuredDeployment" This reverts commit c7325a8. * All the containers * generated * generate and k8s-utils * Update pod-security-standards.yaml * Update 7-gateway-proxy-deployment.yaml * Start of pod security defaults * Update pod-security-standards.yaml * updates * More container updates * steps - can;t apply defaults * Helm fixes and add to kube2e helm * whitespace cleanup * Update helm-override.yaml * tests * add seccompTypeValue * Update helm_test.go * Update pod-security-standards.yaml * Update pod-security-standards.yaml * Update pod-security-standards.yaml * Update _helpers.tpl * Update values.go * Adding changelog file to new location * Deleting changelog file from old location * Update _helpers.tpl * update template to take ".indent" argument * Update _helpers.tpl * generate * Update _helpers.tpl * Update _helpers.tpl * Update changelog/v1.17.0-beta29/pod-security-standards.yaml Co-authored-by: Bernie Birnbaum <bewebi@earthlink.net> * indenting includes * PR feedback * Update install/test/helm_test.go Co-authored-by: Bernie Birnbaum <bewebi@earthlink.net> --------- Co-authored-by: soloio-bulldozer[bot] <48420018+soloio-bulldozer[bot]@users.noreply.github.com> Co-authored-by: changelog-bot <changelog-bot> Co-authored-by: Bernie Birnbaum <bewebi@earthlink.net> * generate and changelog * test fixes --------- Co-authored-by: soloio-bulldozer[bot] <48420018+soloio-bulldozer[bot]@users.noreply.github.com> Co-authored-by: Bernie Birnbaum <bewebi@earthlink.net>
Description
Update Helm templates to allow all containers'
securityContexts
to be defined in order to support Pod Security Standards.Provide a flag to default all containers to a
securityContext
that has the minimal changes needed to conform to restricted policy.Helm Changes
securityContext
s and apply appropriate defaults.securityContext
for each container that did not have one defined.globals.podSecurityStandards
to manage data related to Pod Security Standardsglobals.podSecurityStandards.container
to manage container-level configurationglobal.podSecurityStandards.container.enableRestrictedContainerDefaults
- usesrestricted
compliant defaults for containerglobal.podSecurityStandards.container.defaultSeccompProfileType
- defines defaultseccompProfileType
to use for containers.The default securityContext when
global.podSecurityStandards.container.enableRestrictedContainerDefaults
is enabled is equivalent to:There is no variation allowed for these values, except
seccompProfile.type
can beLocalhost
instead ofRuntimeDefault
. That value can be configured withglobal.podSecurityStandards.container.defaultSeccompProfileType
.capabilities.add
can also be set toContext
Users ran into this while attempted to run Gloo Edge with a Restricted Pod Security Policy
Testing steps
Manual validation
Default behavior
With a kubernetes environment created, gloo not installed, and
$VERSION
defined:gloo-system
namespace and label aswarn=restricted
You will see output that looks like:
Restricted Compliant behavior
securityContexts
The warnings no longer appear.
And Gloo Edge can be successfully uninstalled and reinstalled.
Automated testing
Additionally, unit tests have been added/expanded, and the global.podSecurityStandards.container.enableRestrictedContainerDefaults=true has been set on the kube2e tests to ensure that functionality works with these standards applied.
The test server used for the kube2e tests uses an image that runs as root, so for the moment we are not applying the labels to the namespace in the e2e tests, instead relying on the helm flag to enforce compliance for Edge components. This can revisited if deemed worth the time and effort.
Notes for reviewers
Checklist: