-
Notifications
You must be signed in to change notification settings - Fork 440
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow to run with restricted pod security standards #2072
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have tested the changes, and I can deploy tenants and place objects with these values. This modification appears promising to me, especially when the pod-security.kubernetes.io/enforce=restricted
label is utilized in the namespace.
If the decommissioning test fails, I believe we can disregard this failure as it is not relevant. However, the improvements needed for the test itself should be addressed in a new PR. |
@ramondeklein approved but let's resolve conflicts |
Great, currently reviewing and testing! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All good, just a minor change requested. And thank you for adding the test in the Helm chart.
Added newline, so review became stale... |
It's possible to enforce pod security standards by either adding labels or by configuring the built-in admission controller. There are three modes available: privileged (default), baseline and restricted. It looks like both the operator and tenants work in restricted mode, but it requires that all
containerSecurityContext
values need the following settings:This setting can be found in the following places:
operator.containerSecurityContext
(Operator helm chart)console.containerSecurityContext
(Operator helm chart)tenant.pools[*].containerSecurityContext
(Tenant helm chart)This PR adds these values to the Helm charts
values.yaml
files to ensure that the deployment/stateful-set is also allowed when pod security is set torestricted
.The console is also updated to ensure that it also deploys
tenant
resources with these values set. All CI/CD tests are updated so they run with theoperator
namespace inrestricted
mode.