Support Pod Security Admission #190

JohnStrunk · 2022-06-30T17:37:08Z

Describe the feature you'd like to have.
The default deployment of SnapScheduler should be compliant w/ the "restricted" PSA profile.

What is the value to the end user? (why is it a priority?)

How will we know we have a good solution? (acceptance criteria)

Additional context

There's nothing that requires us to be non-compliant (no needed permissions, etc.)
Kind clusters for CI should be put into enforcing mode
The only change necessary appears to be setting the Pod SecurityContext to include:
```
seccompProfile:
  type: RuntimeDefault
```
Unfortunately, these changes will break deployments on OpenShift 4.10

Changes needed:

snapscheduler/config/manager/manager.yaml

Lines 38 to 42 in e5a3fe7

    
           securityContext: 
        
             runAsNonRoot: true 
        
             # Uncomment when we no longer support OCP 4.10 
        
             # seccompProfile: 
        
             #   type: RuntimeDefault

snapscheduler/helm/snapscheduler/values.yaml

Lines 31 to 35 in e5a3fe7

    
           podSecurityContext: 
        
             runAsNonRoot: true 
        
             # Uncomment when we no longer support OCP 4.10 
        
             # seccompProfile: 
        
             #   type: RuntimeDefault

JohnStrunk added the enhancement New feature or request label Jun 30, 2022

project-bot bot added this to Unprioritized in SnapScheduler work items Jun 30, 2022

JohnStrunk mentioned this issue Jun 30, 2022

Enable Pod Security Admission in warning mode #191

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Support Pod Security Admission #190

Support Pod Security Admission #190

JohnStrunk commented Jun 30, 2022

Support Pod Security Admission #190

Support Pod Security Admission #190

Comments

JohnStrunk commented Jun 30, 2022