Add ability to create PSP #347
Conversation
|
This honestly looks great! Were you thinking that
Thanks for the hard work! |
|
Fixes #341 |
|
Thanks.
Those reasons are not very strong. If you like we can change the default to install PSP. As for the doctor: as far as I understand the existing doctor checks will identify that something is wrong (the pods are not running) - they won't identify the cause. Identifying the cause will require identifying that the pods cannot be scheduled due to missing PSP - which will probably require looking at the errors events posted on the daemon set. That is indeed a stretch goal and I rather not do it. |
grampelberg
left a comment
There was a problem hiding this comment.
This looks really great to me. The only change I'd make would be to have PSP there always. You're totally right that it isn't required 100% of the time, but for those not using it ... it isn't that big of a deal. It is sane for clusters to be 1.14 or newer, so PSP is pretty much everywhere at this point.
|
@grampelberg: Does changing the default (so that by default PSP is installed) OK with you?
|
|
@moshelitvin-MS yup! |
grampelberg
left a comment
There was a problem hiding this comment.
Awesome! Thank you!!
|
Looks good to me too. I totally agree on skipping doctor here. |
|
@mlitvin only thing left is having your commits signed. Once we've got that, this can get merged! See signing commits for more info. |
Add the ability to create pod security policy to allow working in cluster where the default pod security policy is not enough (probably because it doesn't support hostPath volumes).
It always create and uses a service account for ksync, but actually create a PSP only if specifically requested.
See #341