Skip to content
This repository has been archived by the owner on Feb 22, 2022. It is now read-only.

[stable/sealed-secrets] Support PSP #15254

Merged
merged 1 commit into from
Jul 9, 2019
Merged

[stable/sealed-secrets] Support PSP #15254

merged 1 commit into from
Jul 9, 2019

Conversation

ArchiFleKs
Copy link
Contributor

Support PSP with sensible default.

  • DCO signed
  • Chart Version bumped
  • Variables are documented in the README.md
  • Title of the PR starts with chart name (e.g. [stable/chart])

@helm-bot helm-bot added Contribution Allowed If the contributor has signed the DCO or the CNCF CLA (prior to the move to a DCO). size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jul 4, 2019
@k8s-ci-robot
Copy link
Contributor

Hi @ArchiFleKs. Thanks for your PR.

I'm waiting for a helm member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jul 4, 2019
stefanprodan
stefanprodan suggested changes Jul 5, 2019
View reviewed changes
stable/sealed-secrets/templates/psp.yaml Outdated
- '*'
fsGroup:
rule: RunAsAny
privileged: true
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is way to permissive. I see no reason why sealed-secrets would need privileged, hostPID, hostIPC, hostNetwork.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know that's why I said permissive. I don't really know the permission of the app.

This was a first try to be able to run this app the same way on a pod securityenable policy enable cluster or not. But if you prefere we can narrow it down right now.

Basically I just picked on other Charts

I agree it is not ideal, it is more for compatibility issue.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes please narrow it down by disabling: privileged, hostPID, hostIPC, hostNetwork. Thanks

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@stefanprodan should be good now

@helm-bot helm-bot removed the Contribution Allowed If the contributor has signed the DCO or the CNCF CLA (prior to the move to a DCO). label Jul 6, 2019
@helm-bot helm-bot added the Contribution Allowed If the contributor has signed the DCO or the CNCF CLA (prior to the move to a DCO). label Jul 8, 2019
@ArchiFleKs
[stable/sealed-secrets] Support PSP
44545c6 
Support PSP with sensible default.

Signed-off-by: Kevin Lefevre <[email protected]>
@ArchiFleKs
Copy link
Contributor Author

/retest

@k8s-ci-robot
Copy link
Contributor

@ArchiFleKs: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

In response to this:

/retest

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@stefanprodan
Copy link
Collaborator

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jul 9, 2019
@stefanprodan
Copy link
Collaborator

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Jul 9, 2019
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ArchiFleKs, stefanprodan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 9, 2019
@k8s-ci-robot k8s-ci-robot merged commit a431bb9 into helm:master Jul 9, 2019
@ArchiFleKs ArchiFleKs deleted the sealed-secrets/psp branch July 9, 2019 10:22
ThoTischner pushed a commit to bitsbeats/charts that referenced this pull request Aug 13, 2019
@ArchiFleKs
[stable/sealed-secrets] Support PSP (helm#15254)
e223f97 
Support PSP with sensible default.

Signed-off-by: Kevin Lefevre <[email protected]>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@stefanprodan stefanprodan stefanprodan approved these changes

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. Contribution Allowed If the contributor has signed the DCO or the CNCF CLA (prior to the move to a DCO). lgtm Indicates that a PR is ready to be merged. ok-to-test size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ArchiFleKs @k8s-ci-robot @stefanprodan @helm-bot