New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Enhance securityContext in ha manifests (#9810) #9930
Conversation
Codecov Report
@@ Coverage Diff @@
## master #9930 +/- ##
=======================================
Coverage 45.96% 45.96%
=======================================
Files 227 227
Lines 27276 27276
=======================================
Hits 12538 12538
Misses 13036 13036
Partials 1702 1702 Continue to review full report at Codecov.
|
@joebowbeer ready for review? |
@crenshaw-dev I marked it ready. I don't know how well redis-ha is tested in the automated e2e tests, so I asked @souravsk to give it a spin. |
@joebowbeer not at all, unfortunately. :-( Might see if I can test this out at Intuit for a day or two before merging. |
@souravsk how many workers are in your cluster? I suggest 3 for high availability (HA) |
In my minikube it has one control panel and one workar node i tried to create one more node but i get failed. I tried many time but somehow any 5 pods are in pending |
@crenshaw-dev it looks like NET_BIND_SERVICE may be problematic:
However, I don't see any privileged |
Signed-off-by: Joe Bowbeer <joe.bowbeer@gmail.com>
@crenshaw-dev PTAL I applied ha/install.yaml to a local kind cluster with 3 control plane nodes and 3 worker nodes, and everything was healthy. I ran kyverno against the argocd namespace and there were no failures: kyverno apply <(kustomize build https://github.com/kyverno/policies//pod-security) \
--cluster --policy-report -n=argocd |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm, thanks!
Fixes #9810
Adds container-level securityContext to the
argocd-redis-ha-haproxy
andargocd-redis-ha-server
containers.In a static check using kyverno-cli, these updated manifests report no PSS/restricted policy failures:
Checklist: