New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(executor): set seccomp profile to runtimedefault #12984
Conversation
You might notice |
35e9798
to
f850887
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
have some naming suggestions below
f850887
to
8b121ca
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
1 change needed to the resource
container, otherwise LGTM
Oh and the other remaining test failure needs a change in
|
bf144fb
to
c2a5458
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks for iterating on this and improving the default security contexts!
c2a5458
to
566b416
Compare
Signed-off-by: Lukas Hankeln <lukashankeln@googlemail.com>
Head branch was pushed to by a user without write access
566b416
to
c7b4435
Compare
Thank you for helping me out. One test was still failing, that should pass now. |
Motivation
We are using Kyverno Policies to enforce different security settings within our cluster. For example running containers as non Root.
But also to explicitly have set the SeccompProfile to RuntimeDefault. See the official Documentation
Currently the artifact GC is beeing blocked by our Kyverno policy. On my search for values to change the default (e.g. via Helm) i found the code I changed in this PR.
Modifications
Explicitly Setting the Seccomp Profile to RuntimeDefault when creating the artifact GC Pod.
Verification
The E2E tests should catch any issues, if you want me to test this locally let me know