-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(config): add default security context #25
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR, @micnncim! These seem like reasonable defaults, especially since based on the Slack conversation you referenced, @kskewes has been running Spinnaker with these defaults without any issues. It looks like @kskewes' securityContext
configuration also includes privileged: false
and capabilities: drop: ["ALL"]
: are these redundant or was there any other reason for excluding them?
@maggieneterval Thank you for your review! First, I've dropped Second, I've dropped However, I follow you if you have different, rational opinions to add them 😄 |
@micnncim That all makes sense; you are definitely more familiar with what would be a reasonable set of |
We haven't yet tried setting a different user to the one defined in the Dockerfile's (100, 101, 33 Deck). I guess could be file permissions but if you're tested it please let us know. :) Suggest adding to
This is required when Kubernetes mounts in tokens like the AWS IRSA token into containers, otherwise they get mounted owned by
|
Oh, nice! I agree with you. |
In general, we should configure
securityContext
to keep least privileges, like using non-root. The users may misssecurityContext
without default one configured, and also it would be cumbersome to configure them for each kustomization patch. That's why I believe this base kustomization should have a defaultsecurityContext
.And also, I've found @ezimanyi agreed with this idea in Spinnaker Slack #kleat channel.