fix: make security context configs more restrictive #3454
Conversation
/assign @salsal97 @jackfrancis |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good! Does the test also need to be updated? Its at test/e2e/kubernetes/workloads/sgx-test.yaml
/azp run pr-e2e |
Azure Pipelines could not run because the pipeline triggers exclude this branch/path. |
We should definitely keep the E2E test up-to-date w/ doc recommendations! |
@salsal97 @jackfrancis the e2e test is a slightly different scenario, as its not using a device plugin and directly accessing /dev/sgx on the host. |
@vtikoo Makes sense. So it sounds like we're not really testing/validating what we're recommending? What would be involved to update our tests? Is it as simple as updating the spec we kubectl apply onto the cluster? |
@jackfrancis It would involve installing the sgx device plugin before the actual test workload runs. For installing the device plugin, we could either kubectl apply it and wait for it to be ready, or create an addon/extension. The latter would be more effort, but might be useful to users as well. |
Right, thanks for clarifying, yeah, let's add a follow-up task to do the kubectl apply + run updated spec in the E2E tests. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jackfrancis, salsal97, vtikoo The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Added this backlog issue: #3462 |
Co-authored-by: Vikas Tikoo <vikas.tikoo@microsoft.com>
Reason for Change:
Updated the security context related configs of the sgx device plugin to be more restrictive.
Issue Fixed:
Requirements:
Notes: