-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable PodSecurityPolicy in our test environment #4480
Comments
Issues go stale after 90 days of inactivity. Send feedback to Knative Productivity Slack channel or file an issue in knative/test-infra. /lifecycle stale |
Stale issues rot after 30 days of inactivity. Send feedback to Knative Productivity Slack channel or file an issue in knative/test-infra. /lifecycle rotten |
Rotten issues close after 30 days of inactivity. Send feedback to Knative Productivity Slack channel or file an issue in knative/test-infra. /close |
@knative-housekeeping-robot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/reopen /remove-lifecycle rotten |
@Cynocracy: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Reopening this, is this something we want to support? At least from our end, we'd like to maintain a policy, and this repo feels like the appropriate place to do so. |
More info about the last attempt can be found at #4500 |
I think that we should be shipping a default PSP. It should be harmless for environments that aren't enforcing it, and very useful for installing into environments that require one. Here are the docs on enabling this for GKE: https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies#enabling_podsecuritypolicy_controller I'm happy to put together PSPs for the components we ship, we can probably start with a derivative of the Tekton PSP (the main change below is MustRunAsNonRoot): apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: knative-components
spec:
privileged: false
allowPrivilegeEscalation: false
hostNetwork: false
hostIPC: false
hostPID: false
volumes:
- 'emptyDir'
- 'configMap'
- 'secret'
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
|
With the current infra it would be pretty easy, just changing https://github.com/knative/serving/blob/master/test/e2e-tests.sh#L39 to |
Awesome 😍 |
I'm attempting to make the e2e legs here use this to test it out: knative-extensions/net-contour#107 |
Sounds like PSPs are out and OPA/Gatekeeper is the new hotness: https://www.youtube.com/watch?v=SFtHRmPuhEw&feature=youtu.be&t=920 |
Going to close this issue since PSP won't be supported in the future From: kubernetes/kubernetes#90603
|
In what area(s)?
/area test-and-release
Describe the feature
To catch things like: #3237 (comment)
cc @yu2003w
The text was updated successfully, but these errors were encountered: