Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[#741] Make deployment to be compatible with restricted level Pod Security Admission #743

Closed
wants to merge 1 commit into from
Closed

[#741] Make deployment to be compatible with restricted level Pod Security Admission #743

wants to merge 1 commit into from

Conversation

gaohoward
Copy link
Collaborator

No description provided.

@gaohoward gaohoward linked an issue Nov 22, 2023 that may be closed by this pull request
Support deployment in namespaces with stricted Pod Security Admission #741
Closed
@gtully
Copy link
Contributor

gtully commented Nov 23, 2023
edited

is there any scenario where the broker will need some capabilities? I am wondering if this needs to be something we can configure rather than something that is hardcoded. Would extending our CR with PVC[] and Service[] leave us open to requiring more capabilities I wonder?

@gaohoward
Copy link
Collaborator Author

is there any scenario where the broker will need some capabilities? I am wondering if this needs to be something we can configure rather than something that is hardcoded. Would extending our CR with PVC[] and Service[] leave us open to requiring more capabilities I wonder?

I don't think broker need any special capabilities by default. But if it does, user can configure the SecurityContext to add those capabilities. If those added capabilities conflicts with the default PSA/SCC policy in the target namespace, the user needs to modify/create the target namespace with required policies.

brusdev
brusdev approved these changes Jan 15, 2024
View reviewed changes
Copy link
Contributor

@brusdev brusdev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Restricting special capabilities by default if those are not required is the safest option. Users can use the new template patches to customize them.

@brusdev brusdev mentioned this pull request Feb 21, 2024
Merged
@brusdev
Copy link
Contributor

brusdev commented Feb 21, 2024

@howardgao I incorporated the commits from this PR in #801 to test the operator deployment in a restricted namespace. I removed the changes related to the security contexts of the broker pods because they were causing a conflict with the commits from #757 and I split the test to be consistent.

@gaohoward
Copy link
Collaborator Author

gaohoward commented Feb 21, 2024
edited

@brusdev thanks. I'll take a look.

@brusdev brusdev closed this Feb 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brusdev brusdev brusdev approved these changes

@gtully gtully Awaiting requested review from gtully

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support deployment in namespaces with stricted Pod Security Admission
4 participants
@gaohoward @gtully @brusdev @howardgao