Skip to content

feat: Enable runAsNonRoot by default#3875

Closed
mikebryant wants to merge 1 commit intocert-manager:masterfrom
mikebryant:follow-best-practices
Closed

feat: Enable runAsNonRoot by default#3875
mikebryant wants to merge 1 commit intocert-manager:masterfrom
mikebryant:follow-best-practices

Conversation

@mikebryant
Copy link
Copy Markdown
Member

@mikebryant mikebryant commented Apr 9, 2021

What this PR does / why we need it:

When running kyverno using https://kyverno.io/policies/pod-security/restricted/, some checks failed. This enables more secure policy by default

Special notes for your reviewer:

Not sure if this is something that you want - don't mind it being closed :)

Release note:

runAsNonRoot is now enabled by default in the securityContext values. If you're using custom containers with the chart that run as root, you will need to set this back to false.

@jetstack-bot jetstack-bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. area/deploy Indicates a PR modifies deployment configuration labels Apr 9, 2021
@jetstack-bot
Copy link
Copy Markdown
Contributor

jetstack-bot commented Apr 9, 2021

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mikebryant
To complete the pull request process, please assign munnerz
You can assign the PR to them by writing /assign @munnerz in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jetstack-bot jetstack-bot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Apr 9, 2021
@mikebryant
feat: Enable runAsNonRoot by default
121d557 
When running kyverno using https://kyverno.io/policies/pod-security/restricted/, some checks failed. This enables more secure policy by default

Signed-off-by: Mike Bryant <mikebryant@bulb.co.uk>
@mikebryant mikebryant force-pushed the follow-best-practices branch from 0ebbcf1 to 121d557 Compare April 9, 2021 09:44
@jetstack-bot jetstack-bot added dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. and removed dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. labels Apr 9, 2021
wallrj
wallrj reviewed Apr 9, 2021
View reviewed changes
Copy link
Copy Markdown
Member

@wallrj wallrj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems like an improvement, thanks @mikebryant

I wonder if it'd be straight forward to install kyverno with a devel/addon/kyverno/install.sh script and maybe have an E2E test flag which makes it an optional E2E install?

It'd be nice to have a simple way of demonstrating that cert-manager deployment was following best-practices.

@jakexks
Copy link
Copy Markdown
Member

jakexks commented Apr 12, 2021

/kind feature
/milestone v1.4

@jetstack-bot jetstack-bot added this to the v1.4 milestone Apr 12, 2021
@jetstack-bot jetstack-bot added kind/feature Categorizes issue or PR as related to a new feature. and removed needs-kind Indicates a PR lacks a `kind/foo` label and requires one. labels Apr 12, 2021
@wallrj wallrj mentioned this pull request May 20, 2021
Merged
@jakexks
Copy link
Copy Markdown
Member

jakexks commented May 21, 2021

thanks for bringing this to our attention @mikebryant, I think a more comprehensive version of this is being reviewed in #4036
/close

@jetstack-bot
Copy link
Copy Markdown
Contributor

jetstack-bot commented May 21, 2021

@jakexks: Closed this PR.

Details

In response to this:

thanks for bringing this to our attention @mikebryant, I think a more comprehensive version of this is being reviewed in #4036
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wallrj wallrj wallrj left review comments

Assignees

No one assigned

Labels

area/deploy Indicates a PR modifies deployment configuration dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. kind/feature Categorizes issue or PR as related to a new feature. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

v1.4

Development

Successfully merging this pull request may close these issues.

4 participants

@mikebryant @jetstack-bot @jakexks @wallrj