-
Notifications
You must be signed in to change notification settings - Fork 187
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
helm: Added Pod Security Policy #443
Conversation
manifest_staging/charts/csi-secrets-store-provider-azure/README.md
Outdated
Show resolved
Hide resolved
manifest_staging/charts/csi-secrets-store-provider-azure/templates/podsecuritypolicy.yaml
Outdated
Show resolved
Hide resolved
manifest_staging/charts/csi-secrets-store-provider-azure/templates/role.yaml
Outdated
Show resolved
Hide resolved
manifest_staging/charts/csi-secrets-store-provider-azure/templates/role.yaml
Outdated
Show resolved
Hide resolved
Codecov Report
@@ Coverage Diff @@
## master #443 +/- ##
=======================================
Coverage 64.03% 64.03%
=======================================
Files 7 7
Lines 506 506
=======================================
Hits 324 324
Misses 148 148
Partials 34 34 |
@@ -0,0 +1,23 @@ | |||
{{- if .Values.rbac.pspEnabled }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
{{- if .Values.rbac.pspEnabled }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "sscdpa.psp.fullname" . }}
spec:
hostNetwork: true
seLinux:
rule: RunAsAny
privileged: {{ .Values.linux.privileged }}
volumes:
- hostPath
- secret
hostPorts:
- min: 0
max: 65535
fsGroup:
ranges:
- max: 65535
min: 1
rule: MustRunAs
runAsUser:
rule: RunAsAny
supplementalGroups:
ranges:
- max: 65535
min: 1
rule: MustRunAs
{{- end }}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, please include the default labels in the PodSecurityPolicy
, Role
and RoleBinding
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@aramase should this match deployment PSP here? https://github.com/Azure/secrets-store-csi-driver-provider-azure/blob/master/deployment/pod-security-policy.yaml#L57-L73
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sozercan Apart from the allowedHostPaths
, the rest of the spec is very similar here. Imposing the different host paths can get tedious if users want to mount custom env file or more. WDYT?
Also, that file seems to be a little outdated. We should update it in a follow up PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sounds good. we can have a follow up to address that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Opened #479 to track the change.
manifest_staging/charts/csi-secrets-store-provider-azure/templates/rolebinding.yaml
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@pierluigilenoci Added comments. PTAL and also rebase the PR when you get a chance.
@aramase sorry it took me a while but last week I just couldn't. 👍🏻 |
Reason for Change:
We want to deploy secrets-store-csi-driver-provider-azure successfully in k8s cluster with a restricted pod-security policy enabled.
Requirements
Issue Fixed:
Fixes #404
Does this change contain code from or inspired by another project?
Special Notes for Reviewers:
This is inspired by @mo-saeed code from #404