Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable PSP and configure securityContext properly for observability pods #15744

Merged
merged 2 commits into from Oct 18, 2022
Merged

Disable PSP and configure securityContext properly for observability pods #15744

merged 2 commits into from Oct 18, 2022

Conversation

a-thaler
Copy link
Contributor

@a-thaler a-thaler commented Oct 6, 2022
edited

Description

Changes proposed in this pull request:

  • disabled all PSPs
  • Configured securityContext were possible
  • disabled garafanas initChownData initContainer as it is not required and needs special permissions

Left warnings for restricted security level are:

Warning: monitoring-prometheus-node-exporter-kj8bv: host namespaces, hostPort, restricted volume types
Warning: telemetry-fluent-bit-vbk9q: unrestricted capabilities, restricted volume types, runAsNonRoot != true
Warning: tracing-jaeger-7d6cdffb9b-9rfz5: allowPrivilegeEscalation != false, unrestricted capabilities

Left warnings for baseline security level are:

Warning: monitoring-prometheus-node-exporter-kj8bv: host namespaces, hostPath volumes, hostPort

The reasoning behind that is:

  • fluent-bit must read from the host filesystem and requires capabilities for that and must run as root
  • prometheus-node-exporter requires to access to the host as well
  • with the jaeger-operator in current version a securityContext on container level cannot be set, we would need to update first

I applied these default settings:

podSecurityContext:
    runAsNonRoot: true
    seccompProfile:
      type: RuntimeDefault

containerSecurityContext:
  allowPrivilegeEscalation: false
  privileged: false
  readOnlyRootFilesystem: true
  capabilities:
    drop:
      - ALL

Related issue(s)

@kyma-bot kyma-bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 6, 2022
@kyma-bot
Copy link
Contributor

kyma-bot commented Oct 6, 2022

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@kyma-bot kyma-bot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Oct 6, 2022
@a-thaler
Copy link
Contributor Author

a-thaler commented Oct 6, 2022

/test all

@a-thaler
Copy link
Contributor Author

a-thaler commented Oct 7, 2022

/retest

@a-thaler a-thaler marked this pull request as ready for review October 18, 2022 09:28
@kyma-bot kyma-bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 18, 2022
@a-thaler a-thaler mentioned this pull request Oct 18, 2022
Closed
10 tasks
@kyma-bot kyma-bot added the lgtm Looks good to me! label Oct 18, 2022
@kyma-bot kyma-bot merged commit 30171e5 into kyma-project:main Oct 18, 2022
@a-thaler a-thaler deleted the psp branch October 19, 2022 07:46
@a-thaler a-thaler added area/monitoring Issues or PRs related to the monitoring module (deprecated) area/tracing Issues or PRs related to the tracing module (deprecated) area/logging Issues or PRs related to the logging module (deprecated) labels Oct 19, 2022
@a-thaler a-thaler added this to the 2.9 milestone Oct 19, 2022
@a-thaler a-thaler mentioned this pull request Oct 26, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chrkl chrkl chrkl approved these changes

@rakesh-garimella rakesh-garimella Awaiting requested review from rakesh-garimella

@skhalash skhalash Awaiting requested review from skhalash

@lindnerby lindnerby Awaiting requested review from lindnerby

@dennis-ge dennis-ge Awaiting requested review from dennis-ge

@lilitgh lilitgh Awaiting requested review from lilitgh

@hisarbalik hisarbalik Awaiting requested review from hisarbalik

Assignees

@chrkl chrkl

Labels
area/logging Issues or PRs related to the logging module (deprecated) area/monitoring Issues or PRs related to the monitoring module (deprecated) area/tracing Issues or PRs related to the tracing module (deprecated) lgtm Looks good to me! size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
2.9
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@a-thaler @kyma-bot @chrkl