Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Setup security context of controller deployment, enforce restricted PodSecurity in namespace #1342

Merged
merged 1 commit into from
Jul 27, 2023
Merged

Setup security context of controller deployment, enforce restricted PodSecurity in namespace #1342

merged 1 commit into from
Jul 27, 2023

Conversation

SaschaSchwarze0
Copy link
Member

@SaschaSchwarze0 SaschaSchwarze0 commented Jul 26, 2023
edited
Loading

Changes

This pull request configures the security of the controller deployment to fulfill the restricted PodSecurity profile. The namespace is configured to enforce this. The KinD configuration is updated to enable PodSecurity admission. I also update the KinD version to be current. I had to change the e2e that we run here in GitHub to use its own namespace because build strategies like Kaniko require elevated permissions beyond privileged. And in general, we should have never used this namespace imo. I also updated the documentation in that regard.

Fixes #1331

Submitter Checklist

  • Includes tests if functionality changed/was added
  • Includes docs if changes are user-facing
  • Set a kind label on this PR
  • Release notes block has been filled in, or marked NONE

Release Notes

The shipwright-build namespace is now configured to enforce restricted PodSecurity. The shipwright-build-controller deployment was updated to fulfill all requirements.

@SaschaSchwarze0 SaschaSchwarze0 added the kind/feature Categorizes issue or PR as related to a new feature. label Jul 26, 2023
@SaschaSchwarze0 SaschaSchwarze0 added this to the release-v0.12.0 milestone Jul 26, 2023
@openshift-ci openshift-ci bot added the release-note Label for when a PR has specified a release note label Jul 26, 2023
@openshift-ci openshift-ci bot requested review from otaviof and qu1queee July 26, 2023 19:19
@SaschaSchwarze0 SaschaSchwarze0 force-pushed the sascha-psa branch 2 times, most recently from a266b5f to d95306f Compare July 27, 2023 11:12
qu1queee
qu1queee approved these changes Jul 27, 2023
View reviewed changes
Copy link
Contributor

@qu1queee qu1queee left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice!

/lgtm
/approve

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jul 27, 2023
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jul 27, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: qu1queee

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 27, 2023
@openshift-merge-robot openshift-merge-robot merged commit 590873d into shipwright-io:main Jul 27, 2023
11 checks passed
@SaschaSchwarze0 SaschaSchwarze0 mentioned this pull request Jul 28, 2023
Merged
4 tasks
@SaschaSchwarze0 SaschaSchwarze0 deleted the sascha-psa branch August 21, 2023 18:08
@pull-request-size pull-request-size bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Oct 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@qu1queee qu1queee qu1queee approved these changes

@otaviof otaviof Awaiting requested review from otaviof

Assignees

@qu1queee qu1queee

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged. release-note Label for when a PR has specified a release note size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
release-v0.12.0
Development

Successfully merging this pull request may close these issues.

Ensure SecurityContext of Controllers are inline with Kubernetes PSA
3 participants
@SaschaSchwarze0 @qu1queee @openshift-merge-robot