Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test: enable PodSecurityPolicy in CI #11140

Closed
wants to merge 11 commits into from
Closed

test: enable PodSecurityPolicy in CI #11140

wants to merge 11 commits into from

Conversation

tklauser
Copy link
Member

Enable for k8s 1.18 only for CI testing.

Fixes #10659

@tklauser tklauser added wip area/CI Continuous Integration testing issue or flake dont-merge/preview-only Only for preview or testing, don't merge it. release-note/misc This PR makes changes that have no direct user impact. labels Apr 24, 2020
@maintainer-s-little-helper maintainer-s-little-helper bot added this to In progress in 1.8.0 Apr 24, 2020
@tklauser
Copy link
Member Author

test-me-please

@coveralls
Copy link

coveralls commented Apr 24, 2020
edited

Coverage Status

Coverage decreased (-0.02%) to 36.922% when pulling 12de9a8 on pr/tklauser/ci-test-enable-psp into c8ae6ed on master.

@tklauser
Copy link
Member Author

test-missed-k8s

@tklauser
Copy link
Member Author

test-upstream-k8s

@tklauser tklauser force-pushed the pr/tklauser/ci-test-enable-psp branch from c1a4cd2 to 77e293b Compare April 27, 2020 08:50
@tklauser
Copy link
Member Author

test-missed-k8s

@tklauser tklauser force-pushed the pr/tklauser/ci-test-enable-psp branch from 77e293b to d7dd1af Compare April 27, 2020 11:55
@tklauser
Copy link
Member Author

test-me-please

@tklauser tklauser force-pushed the pr/tklauser/ci-test-enable-psp branch from d7dd1af to bec0440 Compare April 27, 2020 12:36
@tklauser
Copy link
Member Author

test-me-please

1 similar comment
@tklauser
Copy link
Member Author

test-me-please

@tklauser
Copy link
Member Author

restart-ginkgo

@tklauser tklauser force-pushed the pr/tklauser/ci-test-enable-psp branch from d143b08 to 45d5de8 Compare April 27, 2020 14:27
@tklauser
Copy link
Member Author

test-me-please

@tklauser tklauser added ci/flake This is a known failure that occurs in the tree. Please investigate me! and removed ci/flake This is a known failure that occurs in the tree. Please investigate me! labels Apr 29, 2020
@joestringer
Copy link
Member

@tklauser are you actively working on this? In PR #10681 this PR was identified as a blocker before applying those changes.

@tklauser
Copy link
Member Author

tklauser commented May 6, 2020
edited

@joestringer Sorry, this somehow fell between the cracks. I haven't worked on it for the last few days. Currently, the PR is not in a working state as the log-gatherer won't come up due to the PSP being active. The last commit in the PR (currently 45d5de8) adds a PodSecurityPolicy for log-gatherer but it seems to be missing something. If anyone more familiar with k8s, PSPs and our CI setup wants to pick this up and get it working (or start from scratch), please feel free to do so. I could also invest some cycles into this in the next few days.

@tklauser tklauser force-pushed the pr/tklauser/ci-test-enable-psp branch from 45d5de8 to b55e4e4 Compare May 6, 2020 18:16
@tklauser
Copy link
Member Author

tklauser commented May 6, 2020

test-me-please

@brandshaide brandshaide mentioned this pull request Jun 3, 2020
Closed
@stale
Copy link

stale bot commented Jun 5, 2020

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale. label Jun 5, 2020
@tklauser tklauser force-pushed the pr/tklauser/ci-test-enable-psp branch from b55e4e4 to a9169db Compare June 18, 2020 10:30
@stale stale bot removed the stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale. label Jun 18, 2020
@aanm aanm force-pushed the pr/tklauser/ci-test-enable-psp branch 7 times, most recently from c454f48 to 595d461 Compare July 6, 2020 13:23
@cfrantsen cfrantsen mentioned this pull request Jul 6, 2020
Closed
@aanm aanm force-pushed the pr/tklauser/ci-test-enable-psp branch 2 times, most recently from ca6afbc to 421ed5e Compare July 6, 2020 19:57
@aanm
Copy link
Member

aanm commented Jul 6, 2020

test-me-please

@aanm aanm force-pushed the pr/tklauser/ci-test-enable-psp branch from 421ed5e to 01bf219 Compare July 7, 2020 07:05
tklauser and others added 11 commits July 8, 2020 02:14
@tklauser @aanm
test: enable PodSecurityPolicy in CI
5435c25 
Enable for k8s 1.17 and 1.18. The PodSecurityPolicy is not feature-gated
but enabled by enabling the PodSecurityPolicy admission plugin on
kube-apiserver.

Fixes #10659

Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
@tklauser @aanm
install/kubernetes: relax default PodSecurityPolicy
ebf8ee5 
These relaxations are currently needed to successfully run Cilium in CI
with PodSecurityPolicy.

Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
@tklauser @aanm
contrib/vagrant: enable PodSecurityPolicy admission plugin
6fb7805 
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
@tklauser @aanm
test: add PodSecurityPolicy for log-gatherer
74d2fe7 
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
@aanm
test: deploy unprivileged PSP for default namespace
b7af627 
This allows for application pods running in the default namespace to be
deployed in the k8s cluster.

Signed-off-by: André Martins <andre@cilium.io>
@aanm
test: add PSP for registry daemonset
543dbc1 
Signed-off-by: André Martins <andre@cilium.io>
@aanm
test: add privileged PSP
54970a8 
this PSP will be used for all other components that require a PSP to
work properly. We can have a permissive PSP for these components since
we have a dedicated PSP for Cilium.

Signed-off-by: André Martins <andre@cilium.io>
@aanm
helm: add agent and operator hostPorts to PodSecurityPolicy
f5b7e85 
When config options that open hostPorts are enabled the
PodeSecurityPolicy needs to reflect this or it will not be selected.

Signed-off-by: Christian Frantsen <christian.frantsen@dom.se>
Signed-off-by: André Martins <andre@cilium.io>
@cfrantsen @aanm
Use specific service account for hubble-relay
c6c5ee8 
Signed-off-by: Christian Frantsen <christian.frantsen@dom.se>
@cfrantsen @aanm
Add PSP for hubble-relay
d21a987 
Signed-off-by: Christian Frantsen <christian.frantsen@dom.se>
@cfrantsen @aanm
Add PSP for hubble-ui
12de9a8 
Signed-off-by: Christian Frantsen <christian.frantsen@dom.se>
@aanm aanm force-pushed the pr/tklauser/ci-test-enable-psp branch from 01bf219 to 12de9a8 Compare July 8, 2020 00:22
@sayboras
Copy link
Member

sayboras commented Jul 8, 2020
edited

@aanm @tklauser Seems like PSP will unlikely go to GA, and probably get deprecated as per kubernetes/enhancements#5

I am curious what cilium roadmap will look like on this matter.

@aanm
Copy link
Member

aanm commented Jul 8, 2020

@sayboras interesting, I've been actually working on this PR lately. Thank you for let me know!

@aanm
Copy link
Member

aanm commented Jul 9, 2020

Closing this PR. PodSecurityPolicy will be removed from Kubernetes kubernetes/kubernetes#90603

@aanm aanm closed this Jul 9, 2020
@tklauser tklauser deleted the pr/tklauser/ci-test-enable-psp branch July 9, 2020 08:19
@sayboras sayboras mentioned this pull request Jul 9, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
area/CI Continuous Integration testing issue or flake dont-merge/preview-only Only for preview or testing, don't merge it. release-note/misc This PR makes changes that have no direct user impact.
Projects
No open projects
1.8.0
  
In progress
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Enable K8s PSP in the CI
6 participants
@tklauser @coveralls @joestringer @aanm @sayboras @cfrantsen