Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add security context #1695

Merged
merged 1 commit into from
Feb 23, 2024
Merged

Add security context #1695

merged 1 commit into from
Feb 23, 2024

Conversation

MinerYang
Copy link
Collaborator

No description provided.

@Kajot-dev
Copy link
Contributor

I have one comment. As far as I can see, database and redis use different uids and gids from the rest of the components, so I guess global values.containerSecurityContext would have to either:

  • not include runAsUser and fsGroup and these would be hardcoded in the manifests
  • in case of database/redis use helm's omit like this omit "runAsUser" "fsGroup" and only have hardcoded uids/gids in in redis/database

@MinerYang
Copy link
Collaborator Author

MinerYang commented Feb 21, 2024
edited
Loading

Hi @Kajot-dev ,

Thanks for your review and sorry for the late response since i just came back from holidays.

We don't expose runAsUser and fsGroup in values.yaml and it is hardcoded in the manifest
And indeed, none of our containers are running as root, however we need explicitly claim this runAsNonRoot: true to meet our restricted pod security standards. https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted

What I initially want to write in values.yaml is a empty yaml looks like below and users could configure it on demand. Current version is just filled with a common template for convenience.

containerSecurityContext: {}

@MinerYang MinerYang changed the title [DRAFT]Test security context Add security context Feb 21, 2024
This was referenced Feb 21, 2024
Closed
Closed
Closed
Closed
@MinerYang
Copy link
Collaborator Author

relevant PRs:

Thanks @Kajot-dev , @rgarcia89 @dwagelaar , @funkypenguin for all of the contributions!

Let's focus on review this PR to meet several requirements.

@MinerYang MinerYang requested a review from wy65701436 February 21, 2024 03:21
@MinerYang MinerYang force-pushed the test_security_context branch from 074a6f4 to bb79b1b Compare February 22, 2024 06:08
zyyw
zyyw reviewed Feb 22, 2024
View reviewed changes
values.yaml Outdated Show resolved Hide resolved
@MinerYang MinerYang force-pushed the test_security_context branch from bb79b1b to 478756a Compare February 22, 2024 10:05
wy65701436
wy65701436 approved these changes Feb 22, 2024
View reviewed changes
Copy link
Contributor

@wy65701436 wy65701436 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

rgarcia89
rgarcia89 approved these changes Feb 22, 2024
View reviewed changes
Copy link
Contributor

@rgarcia89 rgarcia89 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

Kajot-dev
Kajot-dev suggested changes Feb 22, 2024
View reviewed changes
Copy link
Contributor

@Kajot-dev Kajot-dev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one thing in core-pre-upgrade job, the rest looks good to me

templates/core/core-pre-upgrade-job.yaml Outdated Show resolved Hide resolved
@MinerYang
test-container-security-context
7913d7e 
Signed-off-by: yminer <[email protected]>

update for trivy and db

update db-ss init container

Signed-off-by: yminer <[email protected]>

update core-pre-upgrade-job.yaml

Signed-off-by: yminer <[email protected]>

update values.yaml

fix core-pre-upgrade-job typo
@MinerYang MinerYang force-pushed the test_security_context branch from 478756a to 7913d7e Compare February 23, 2024 03:26
@MinerYang MinerYang merged commit bd7da40 into goharbor:main Feb 23, 2024
6 checks passed
@zyyw zyyw mentioned this pull request Feb 23, 2024
Closed
@zyyw zyyw mentioned this pull request May 30, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rgarcia89 rgarcia89 rgarcia89 approved these changes

@Kajot-dev Kajot-dev Kajot-dev requested changes

@zyyw zyyw zyyw approved these changes

@wy65701436 wy65701436 wy65701436 approved these changes

Assignees
No one assigned
Labels
release-note/update target/1.15.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@MinerYang @Kajot-dev @wy65701436 @rgarcia89 @zyyw