Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Include the seccompProfile in default securityContext #138

Merged
merged 2 commits into from
Apr 9, 2024
Merged

feat: Include the seccompProfile in default securityContext #138

merged 2 commits into from
Apr 9, 2024

Conversation

tstraley
Copy link
Contributor

@tstraley tstraley commented Apr 4, 2024

This change enabled deploying this helm chart, out-of-the-box, into a namespace
that has restricted PSS (pod security standards -- the replacement to PSP) enforcement enabled.

Read more about PSS here: https://kubernetes.io/docs/concepts/security/pod-security-standards/

@tstraley tstraley requested a review from a team as a code owner April 4, 2024 17:38
@GeorgeMac
Copy link
Member

Nice, thank you! I think this should be backwards compatible for folks upgrading the chart.
Can you think of anything that could go wrong in that situation @tstraley ?

@tstraley
Copy link
Contributor Author

tstraley commented Apr 6, 2024

Nice, thank you! I think this should be backwards compatible for folks upgrading the chart. Can you think of anything that could go wrong in that situation @tstraley ?

No, I can't think of any issue that would occur. In the most common case, this is a no-op (just explicitly defines what was already used); and in the worst case, someone's cluster was configured with a different default security context that was using a more permissive seccomp profile (eg. Unconfined) and this now chooses a more constrained and therefore more secure seccomp profile. We know that someone could not have installed this helm chart and run flipt without already providing a security context seccomp profile if they had a cluster configured with some more restricted customized seccomp profile as a default, in which case, they've already set something to override this when it lands.

markphelps
markphelps reviewed Apr 7, 2024
View reviewed changes
Copy link
Contributor

@markphelps markphelps left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @tstraley ! Would you mind bumping the chart version once more?

@GeorgeMac
Copy link
Member

Nice one @tstraley that makes sense!

tstraley added 2 commits April 9, 2024 17:57
@tstraley
feat: specify the seccompProfile in default securityContext
c179416 
To abide by the restricted Pod Security Standard, the seccompProfile
type must be set in the securityContext to either RuntimeDefault or
Localhost. https://kubernetes.io/docs/concepts/security/pod-security-standards/

Flipt runs fine with the RuntimeDefault profile as it doesn't require
any special seccomp.

Allows applying this helm chart out-of-the-box into a namespace
that has restricted PSS enforcement enabled.
@tstraley
chore: Bump the chart minor version to 0.58.0
0854e8b
@tstraley tstraley force-pushed the restricted-security-context branch from 8b76dfe to 0854e8b Compare April 9, 2024 17:59
@tstraley
Copy link
Contributor Author

tstraley commented Apr 9, 2024

Thanks @tstraley ! Would you mind bumping the chart version once more?

Rebased and bumped to 0.58.0!

markphelps
markphelps approved these changes Apr 9, 2024
View reviewed changes
Copy link
Contributor

@markphelps markphelps left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks @tstraley !

@kodiakhq kodiakhq bot merged commit e7d4df2 into flipt-io:main Apr 9, 2024
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@markphelps markphelps markphelps approved these changes

Assignees
No one assigned
Labels
automerge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tstraley @GeorgeMac @markphelps