Enable runAsNonRoot by default#4036
Conversation
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
When running kyverno using https://kyverno.io/policies/pod-security/restricted/, some checks failed. This enables more secure policy by default Signed-off-by: Mike Bryant <mikebryant@bulb.co.uk> Signed-off-by: Richard Wall <richard.wall@jetstack.io>
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
… policy Signed-off-by: Richard Wall <richard.wall@jetstack.io>
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
devel/addon/ingressnginx/install.sh
Outdated
| --install \ | ||
| --wait \ | ||
| --version 3.15.2 \ | ||
| --version 3.31.0 \ |
There was a problem hiding this comment.
I attempted to configure ingress-nginx for non-root operation, but the containerPort values in the Helm chart don't seem to change the nginx listening port. See helm/charts#14605
So I've configured kyverno to ignore the ingress-nginx namespace.
There was a problem hiding this comment.
I'll move this change to a separate PR, since it's not necessary here.
|
/test pull-cert-manager-e2e-v1-16 |
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
There's no need to also set it by default on the container. Signed-off-by: Richard Wall <richard.wall@jetstack.io>
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
…E test namespaces Signed-off-by: Richard Wall <richard.wall@jetstack.io>
The NET_BIND_SERVICE privilege is only needed when binding to privileged ports. Signed-off-by: Richard Wall <richard.wall@jetstack.io>
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
Signed-off-by: Richard Wall <richard.wall@jetstack.io>
|
/test pull-cert-manager-e2e-v1-16 |
|
/test pull-cert-manager-e2e-v1-21 |
irbekrm
left a comment
There was a problem hiding this comment.
Looks great to me- glad we will have this check + I had a chance to learn about Kyverno!
| users. | ||
| policies.kyverno.io/severity: medium | ||
| policies.kyverno.io/subject: Pod | ||
| name: require-run-as-non-root |
There was a problem hiding this comment.
👍🏼 so this policy would have been triggered if we didn't have securityContext.runAsNonRoot
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: irbekrm, wallrj The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
This one is a known flake afair /test pull-cert-manager-e2e-v1-21 |
|
/lgtm |
Picking up #3875 and modifying the E2E test scripts to install Kyverno which is the policy tool that @mikebryant used to identify the original problem.
I install the restrictive Kyverno pod security policy.
And I've updated some of the E2E addon components to satisfy this policy,
others I couldn't get working, so I configured Kyverno to ignore the resources in those namespaces.
Release note:
Fixes: #3721
/kind feature