New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: pss restricted securityContext #9765
Conversation
Codecov Report
@@ Coverage Diff @@
## master #9765 +/- ##
=======================================
Coverage 45.90% 45.90%
=======================================
Files 227 227
Lines 26795 26795
=======================================
Hits 12299 12299
Misses 12820 12820
Partials 1676 1676
Continue to review full report at Codecov.
|
775fec8
to
71bf479
Compare
Signed-off-by: Joe Bowbeer <joe.bowbeer@gmail.com>
Signed-off-by: Joe Bowbeer <joe.bowbeer@gmail.com>
Signed-off-by: Joe Bowbeer <joe.bowbeer@gmail.com>
Signed-off-by: Joe Bowbeer <joe.bowbeer@gmail.com>
Signed-off-by: Joe Bowbeer <joe.bowbeer@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@joebowbeer good catch on the casing issue! Do you happen to know if the feature is case-sensitive?
I'm curious on the seccompProfile change. If I'm reading this correctly, the making RuntimeDefault
explicit should have no effect:
Note: If you have the SeccompDefault feature gate enabled, then Pods use the RuntimeDefault seccomp profile whenever no other seccomp profile is specified. Otherwise, the default is Unconfined.
Is the idea just to be explicit so it's even more clear if someone tries to change to a less secure default?
Yes, this feature is case-sensitive. The docs clearly states
The requirement for an explicit type is also part of the restricted standards:
Note that this is for Kubernetes v1.19 or later, but that's not an issue, right? AFAICT, ArgoCD supports two previous versions, so its minimum version is currently 1.21. By the way, here is the corresponding kyverno policy: https://kyverno.io/policies/pod-security/restricted/restrict-seccomp-strict/restrict-seccomp-strict/ |
@joebowbeer thanks for the thorough response! All makes sense. On the k8s version question, I'm actually not sure. @alexmt I didn't see anything in the docs about supported k8s versions. Am I missing it? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approving, waiting for Alex's comments on k8s version support. Thanks again @joebowbeer!
Fixes #9743
This PR addresses most of the issues with PSS/restricted compliance. Specifically, the following kustomize folders are fixed:
manifests/cluster-install
manifests/cluster-rbac
manifests/core-install
manifests/namespace-install
It does not modify the securityContext for the haproxy containers. I'll leave this for a subsequent PR. As a result, the following kustomize folders still have 6 failures each:
manifests/ha/cluster-install
manifests/ha/namespace-install
The 6 failures are because 3 properties are missing from the
securityContext
in each of the 2 deployments:argocd-redis-ha-haproxy
andargocd-redis-ha-server
The following command verifies the fix for
manifests/namespace-install
:Checklist: