From cd4c37beb83a1ba0af29137c90355829aa90abea Mon Sep 17 00:00:00 2001 From: Graham Dumpleton Date: Fri, 6 May 2022 17:28:37 +1000 Subject: [PATCH] Make the default security policy baseline given onerous requirements of restricted on workshop creators. --- .../bundle/config/11-session-manager/01-crds-workshop.yaml | 4 ++-- session-manager/handlers/workshopsession.py | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/carvel-package/bundle/config/11-session-manager/01-crds-workshop.yaml b/carvel-package/bundle/config/11-session-manager/01-crds-workshop.yaml index 256a8469..773e71ac 100644 --- a/carvel-package/bundle/config/11-session-manager/01-crds-workshop.yaml +++ b/carvel-package/bundle/config/11-session-manager/01-crds-workshop.yaml @@ -322,7 +322,7 @@ spec: - nonroot - anyuid - custom - default: restricted + default: baseline secondary: type: array items: @@ -380,7 +380,7 @@ spec: - nonroot - anyuid - custom - default: restricted + default: baseline resources: type: object properties: diff --git a/session-manager/handlers/workshopsession.py b/session-manager/handlers/workshopsession.py index 64cf7d2d..8d841e26 100644 --- a/session-manager/handlers/workshopsession.py +++ b/session-manager/handlers/workshopsession.py @@ -523,7 +523,7 @@ def workshop_session_create(name, meta, spec, status, patch, logger, **_): budget = "default" limits = {} - namespace_security_policy = "nonroot" + namespace_security_policy = "baseline" security_policy_mapping = { "restricted": "restricted", @@ -536,7 +536,7 @@ def workshop_session_create(name, meta, spec, status, patch, logger, **_): } def resolve_security_policy(name): - return security_policy_mapping.get(name, "restricted") + return security_policy_mapping.get(name, "baseline") if workshop_spec.get("session"): role = workshop_spec["session"].get("namespaces", {}).get("role", role)