Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add security context #1695

Merged
merged 1 commit into from
Feb 23, 2024
Merged

Add security context #1695

merged 1 commit into from
Feb 23, 2024

Conversation

MinerYang
Copy link
Collaborator

No description provided.

@Kajot-dev
Copy link
Contributor

I have one comment. As far as I can see, database and redis use different uids and gids from the rest of the components, so I guess global values.containerSecurityContext would have to either:

  • not include runAsUser and fsGroup and these would be hardcoded in the manifests
  • in case of database/redis use helm's omit like this omit "runAsUser" "fsGroup" and only have hardcoded uids/gids in in redis/database

@MinerYang
Copy link
Collaborator Author

MinerYang commented Feb 21, 2024
edited
Loading

Hi @Kajot-dev ,

Thanks for your review and sorry for the late response since i just came back from holidays.

We don't expose runAsUser and fsGroup in values.yaml and it is hardcoded in the manifest
And indeed, none of our containers are running as root, however we need explicitly claim this runAsNonRoot: true to meet our restricted pod security standards. https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted

What I initially want to write in values.yaml is a empty yaml looks like below and users could configure it on demand. Current version is just filled with a common template for convenience.

containerSecurityContext: {}

@MinerYang MinerYang changed the title [DRAFT]Test security context Add security context Feb 21, 2024
This was referenced Feb 21, 2024
Closed
Closed
Closed
Closed
@MinerYang
Copy link
Collaborator Author

relevant PRs:

Thanks @Kajot-dev , @rgarcia89 @dwagelaar , @funkypenguin for all of the contributions!

Let's focus on review this PR to meet several requirements.

zyyw
zyyw reviewed Feb 22, 2024
View reviewed changes
values.yaml Outdated Show resolved Hide resolved
wy65701436
wy65701436 approved these changes Feb 22, 2024
View reviewed changes
Copy link
Contributor

@wy65701436 wy65701436 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

rgarcia89
rgarcia89 approved these changes Feb 22, 2024
View reviewed changes
Copy link
Contributor

@rgarcia89 rgarcia89 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

Kajot-dev
Kajot-dev suggested changes Feb 22, 2024
View reviewed changes
Copy link
Contributor

@Kajot-dev Kajot-dev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one thing in core-pre-upgrade job, the rest looks good to me

templates/core/core-pre-upgrade-job.yaml Outdated Show resolved Hide resolved
@MinerYang
test-container-security-context
7913d7e 
Signed-off-by: yminer <yminer@vmware.com>

update for trivy and db

update db-ss init container

Signed-off-by: yminer <yminer@vmware.com>

update core-pre-upgrade-job.yaml

Signed-off-by: yminer <yminer@vmware.com>

update values.yaml

fix core-pre-upgrade-job typo
@MinerYang MinerYang merged commit bd7da40 into goharbor:main Feb 23, 2024
6 checks passed
@zyyw zyyw mentioned this pull request Feb 23, 2024
Closed
@zyyw zyyw mentioned this pull request May 30, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rgarcia89 rgarcia89 rgarcia89 approved these changes

@Kajot-dev Kajot-dev Kajot-dev requested changes

@wy65701436 wy65701436 wy65701436 approved these changes

@zyyw zyyw zyyw approved these changes

Assignees
No one assigned
Labels
release-note/update target/1.15.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@MinerYang @Kajot-dev @wy65701436 @rgarcia89 @zyyw