Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add securityContext defaults to deployment manifest #111

Merged
merged 1 commit into from
Sep 25, 2024
Merged

feat: add securityContext defaults to deployment manifest #111

merged 1 commit into from
Sep 25, 2024

Conversation

tjespers
Copy link
Contributor

@tjespers tjespers commented Jul 4, 2024
edited
Loading

Fix ?

In it's current form, the installation instructions for capacitor in this repository do not work for clusters that are hardened following pod security best practices and have the restricted pod security standard enforced for it's flux-system namespace.

The following error will be thrown by the kubernetes API:

'pods "capacitor-XXXXX-XXXX" is forbidden: violates PodSecurity "restricted:latest":
      allowPrivilegeEscalation != false (container "capacitor" must set securityContext.allowPrivilegeEscalation=false),
      unrestricted capabilities (container "capacitor" must set securityContext.capabilities.drop=["ALL"]),
      runAsNonRoot != true (pod or container "capacitor" must set securityContext.runAsNonRoot=true),
      seccompProfile (pod or container "capacitor" must set securityContext.seccompProfile.type
      to "RuntimeDefault" or "Localhost")'

Solution

In a similar fashion to flux's security documentation this change makes the capacitor manifests compatible with the standard allowing deployment to a hardened cluster without manual configuration by the enduser.

What has been done

  • The helm values have been updated to include a securityContext compatible with the "restricted" PodSecurity standard profile
  • The manifests have been re-rendered to include this change

@tjespers
feat: add securityContext defaults to deployment manifest
434a38b 
This commit makes the deployment manifest comply with the "restricted"
PodSecurity Standard profile. Doing so allows capacitor to be deployed
to clusters enforcing this profile on the flux-system namespace without
the need for customization of the supplied manifests in this repository.
@laszlocph laszlocph merged commit c9b4837 into gimlet-io:main Sep 25, 2024
@laszlocph
Copy link
Contributor

This is a quality pull request. Sorry for keeping you waiting.

@laszlocph laszlocph mentioned this pull request Sep 25, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tjespers @laszlocph