Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: address opa violations #332

Merged
merged 15 commits into from
Sep 24, 2024
Merged

chore: address opa violations #332

merged 15 commits into from
Sep 24, 2024
+70 −32

Conversation

nirbenator
Copy link
Contributor

@nirbenator nirbenator commented Sep 19, 2024
edited
Loading

cu-86c0ccq6k - OPA Violations - Configure Liveness and Readiness Probes for node-enricher
cu-86c0ccpfj - OPA Violation - Set Resource Quotas for init-daemon and init-cert
cu-86c0ccmyv - OPA Violation - Security Context - komodor-agent

fixes for OPA violations on liveness\readiness probes\ resource qoutas and security context missing

@komodor-github-warden
Copy link

Linked task to ClickUp!
Go check it out and add some info: cu-86c0ccq6k

MickaelAlliel
MickaelAlliel reviewed Sep 19, 2024
View reviewed changes
charts/komodor-agent/templates/node-enricher/_containers.tpl Outdated
Comment on lines 12 to 27
livenessProbe:
httpGet:
path: /healthz
port: http-healthz
periodSeconds: 60
initialDelaySeconds: 15
failureThreshold: 10
successThreshold: 1
readinessProbe:
httpGet:
path: /healthz
port: http-healthz
initialDelaySeconds: 5
periodSeconds: 5
failureThreshold: 3
successThreshold: 1
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The node-enricher currently does not expose a /healthz API - It's something we will need to add on the agent

MickaelAlliel
MickaelAlliel reviewed Sep 23, 2024
View reviewed changes
charts/komodor-agent/templates/deployment.yaml Outdated
Comment on lines 30 to 34
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
runAsNonRoot: true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This prevents the init container from copying the certificate into /etc

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

# kubectl logs -n test-chart helm-test-komodor-agent-88c75854c-4xnxq -c init-cert

~ cp: can't create '/etc/ssl/certs/mitmproxy-ca.crt': Permission denied

@nirbenator nirbenator merged commit cc77431 into master Sep 24, 2024
2 checks passed
@nirbenator nirbenator deleted the opa-issues branch September 24, 2024 12:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MickaelAlliel MickaelAlliel MickaelAlliel left review comments

@Moran-k Moran-k Awaiting requested review from Moran-k Moran-k is a code owner

Assignees
No one assigned
Labels
Main Backlog
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nirbenator @MickaelAlliel