Enterprise License Job PodSecurityPolicy #325

lkysow · 2020-01-06T20:31:53Z

add podsecuritypolicy for enterprise license job following the pattern
for other psps
set same requirements across resources for rendering: servers enabled
and enterprise license secret fully specified. The different resources
had different requirements before, for example that clients are running
or that bootstrapACLs are true
always create a separate service account for the job, even if acls are
disabled. This is to match the pattern across the rest of the templates
where we always create a separate service account
remove comment across our PSP's that RunAsAny prevented running as root. This is not correct.

RunAsAny means "No default provided. Allows any runAsUser to be specified.", it does not mean that the container must run as non-root. That rule is MustRunAsNonRoot.

lkysow · 2020-01-06T20:35:51Z

@adilyse would appreciate a look at this from you. In #172 you made using a separate service account for the ent-license job dependent on whether ACLs were enabled. This was because the clusterrole was only needed if acls were enabled.

Now the clusterrole is needed if ACLs are enabled or if psp's are enabled. I could add that conditional to the service account but I looked at the rest of our templates and we're always creating a service account, even if we don't need to target it via a clusterrole rule. I think this pattern makes sense (to always have a service account per component) but would like your review.

ishustava

Looks good to me! I left a couple of comments, but nothing blocking.

templates/enterprise-license-clusterrole.yaml

ishustava · 2020-01-10T01:13:45Z

templates/client-podsecuritypolicy.yaml

@@ -41,7 +41,6 @@ spec:
  hostIPC: false
  hostPID: false
  runAsUser:
-    # Require the container to run without root privileges.


I'm curious, are you deleting these comments because of duplication?

I'm deleting them because they're incorrect. RunAsAny means the container can run as anything. It doesn't prevent root. MustRunAs or MayRunAs can be used to prevent root.

- add podsecuritypolicy for enterprise license job following the pattern for other psps - set same requirements across resources for rendering: servers enabled and enterprise license secret fully specified. The different resources had different requirements before, for example that clients are running or that bootstrapACLs are true - always create a separate service account for the job, even if acls are disabled. This is to match the pattern across the rest of the templates where we always create a separate service account

Remove incorrect comment on RunAsAny

96282d1

RunAsAny means "No default provided. Allows any runAsUser to be specified.", it does not mean that the container must run as non-root. That rule is MustRunAsNonRoot.

lkysow requested a review from a team January 6, 2020 20:36

lkysow force-pushed the psps branch 3 times, most recently from c6ec995 to fcd7d3f Compare January 9, 2020 16:59

ishustava approved these changes Jan 10, 2020

View reviewed changes

lkysow force-pushed the psps branch from fcd7d3f to 13030c4 Compare January 10, 2020 17:03

lkysow merged commit 1e9f22f into master Jan 10, 2020

lkysow deleted the psps branch January 10, 2020 17:06

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Enterprise License Job PodSecurityPolicy #325

Enterprise License Job PodSecurityPolicy #325

lkysow commented Jan 6, 2020

lkysow commented Jan 6, 2020

ishustava left a comment

ishustava Jan 10, 2020

lkysow Jan 10, 2020

Enterprise License Job PodSecurityPolicy #325

Enterprise License Job PodSecurityPolicy #325

Conversation

lkysow commented Jan 6, 2020

lkysow commented Jan 6, 2020

ishustava left a comment

Choose a reason for hiding this comment

ishustava Jan 10, 2020

Choose a reason for hiding this comment

lkysow Jan 10, 2020

Choose a reason for hiding this comment