Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support new Kubernetes PodSecurityStandards for Korifi core pods #1221

Closed
4 tasks done
danail-branekov opened this issue Jun 13, 2022 · 0 comments
Closed
4 tasks done

Support new Kubernetes PodSecurityStandards for Korifi core pods #1221

danail-branekov opened this issue Jun 13, 2022 · 0 comments
Assignees
@danail-branekov
Labels
pod-security-standards
Projects
Korifi - Backlog

Comments

@danail-branekov
Copy link
Member

danail-branekov commented Jun 13, 2022
edited

As of Kubernetes 1.21 pod security policies are deprecated and are going to be removed in 1.25. They are going to be replaced by the Pod security admission controller and pod security standards. This means that pod security is going to be configured per namespace rather than per pod.

We would like to enforce the restricted security standard on Korifi "core" pods

Accceptance

Given Korifi is deployed
Then I see that the eirini-controller korifi-api-system, korifi-controllers-system and korifi-kpack-build-system namespace contains the following labels:

pod-security.kubernetes.io/audit=restricted
pod-security.kubernetes.io/enforce=restricted

When Korifi is deployed
Then The containers of the eirini-controller,korifi-api-system, korifi-controllers-system and korifi-kpack-build-system pods have the following security context:

securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL
  runAsNonRoot: true
  seccompProfile:
    type: RuntimeDefault
  • Enforce the restricted pod security on Korifi's pods/namespaces: PR Configure Korifi with restricted pod-security #1277
  • Enforce the restricted pod security on eirini-controllers pods/namespaces
  • Release a new version of eirini-controller
  • Bump the eirini-controller version in install-dependencies
@danail-branekov danail-branekov created this issue from a note in Korifi - Backlog (🧊 Icebox) Jun 13, 2022
@danail-branekov danail-branekov mentioned this issue Jun 13, 2022
Closed
@gcapizzi gcapizzi moved this from 🧊 Icebox to ⚙️ Chores in Korifi - Backlog Jun 20, 2022
@gcapizzi gcapizzi moved this from ⚙️ Chores to 🇪🇺 To do in Korifi - Backlog Jun 20, 2022
@danail-branekov danail-branekov moved this from 🇪🇺 To do to 🔄 In progress in Korifi - Backlog Jun 23, 2022
@danail-branekov danail-branekov self-assigned this Jun 23, 2022
danail-branekov added a commit that referenced this issue Jun 23, 2022
@danail-branekov
Configure Korifi with restricted pod-security
96b123f 
Also, introduce a `deployment` test to verify that

Issue: #1221
danail-branekov added a commit that referenced this issue Jun 23, 2022
@danail-branekov
Configure Korifi with restricted pod-security
c5c9fe7 
Also, introduce a `deployment` test to verify that

Issue: #1221
danail-branekov added a commit that referenced this issue Jun 23, 2022
@danail-branekov
Configure Korifi with restricted pod-security
dae7dd1 
Issue: #1221
@danail-branekov danail-branekov mentioned this issue Jun 23, 2022
Merged
@danail-branekov danail-branekov moved this from 🔄 In progress to ⏳ Review in progress in Korifi - Backlog Jun 23, 2022
@danail-branekov danail-branekov moved this from ⏳ Review in progress to 🔄 In progress in Korifi - Backlog Jun 23, 2022
gcapizzi added a commit that referenced this issue Jun 23, 2022
@gcapizzi
Merge pull request #1277 from /issues/1221-secure-korifi-pods
53e25c4 
Configure Korifi with `restricted` pod-security
danail-branekov added a commit that referenced this issue Jun 27, 2022
@danail-branekov
Bump eirini-controller to 0.5.0
4bec438 
Issue: #1221

Co-authored-by: Danail Branekov <danailster@gmail.com>
@danail-branekov danail-branekov mentioned this issue Jun 27, 2022
Merged
danail-branekov added a commit that referenced this issue Jun 27, 2022
@danail-branekov
Bump eirini-controller to 0.5.0
73cf1ed 
Issue: #1221

Co-authored-by: Danail Branekov <danailster@gmail.com>
@danail-branekov danail-branekov moved this from 🔄 In progress to ⌛ Reviewer approved in Korifi - Backlog Jun 27, 2022
@gcapizzi gcapizzi mentioned this issue Jul 13, 2022
Merged
Korifi - Backlog automation moved this from ⌛ Reviewer approved to ✅ Done Jul 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@danail-branekov danail-branekov

Labels
pod-security-standards
Projects
Korifi - Backlog
Archived in project
Korifi - Backlog
✅ Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gcapizzi @danail-branekov