Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updated helm install example to use proper security defaults #989

Merged
merged 1 commit into from
Nov 8, 2024
Merged

Updated helm install example to use proper security defaults #989

merged 1 commit into from
Nov 8, 2024

Conversation

Xartos
Copy link
Contributor

@Xartos Xartos commented Nov 7, 2024

⚠️ IMPORTANT ⚠️: This is a public repository. Make sure to not disclose:

  • personal data beyond what is necessary for interacting with this Pull Request;
  • business confidential information, such as customer names.

Quality gates:

  • I'm aware of the Contributor Guide and did my best to follow the guidelines.
  • I'm aware of the Glossary and did my best to use those terms.

When installing the demo application according to this section the deployment will result in a warning about it not following the restricted PSS.

$ helm upgrade --install ...
.
.
.
W1107 13:24:08.331340  347415 warnings.go:70] would violate PodSecurity "restricted:latest": 
  allowPrivilegeEscalation != false (container "welkin-user-demo" must set securityContext.allowPrivilegeEscalation=false), 
  unrestricted capabilities (container "welkin-user-demo" must set securityContext.capabilities.drop=["ALL"]), 
  runAsNonRoot != true (pod or container "welkin-user-demo" must set securityContext.runAsNonRoot=true), 
  seccompProfile (pod or container "welkin-user-demo" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
.
.
.

This would solve that issue

@Xartos Xartos requested a review from a team November 7, 2024 12:52
@Xartos Xartos requested a review from a team as a code owner November 7, 2024 12:52
AlbinB97
AlbinB97 approved these changes Nov 7, 2024
View reviewed changes
Copy link
Contributor

@AlbinB97 AlbinB97 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice catch 👍

cristiklein
cristiklein requested changes Nov 7, 2024
View reviewed changes
Copy link
Collaborator

@cristiklein cristiklein left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please make these changes part of the user-demo Helm Chart. For the sake of "GitOps-ness", I'd like the Helm command to only include stuff which is not pre-determined.

@Xartos
Copy link
Contributor Author

Xartos commented Nov 7, 2024

Please make these changes part of the user-demo Helm Chart. For the sake of "GitOps-ness", I'd like the Helm command to only include stuff which is not pre-determined.

Right, yea I thought about that in the beginning, but seeing that it's not set at all by default I thought that was intentional. But I'll change it 👍

cristiklein
cristiklein approved these changes Nov 8, 2024
View reviewed changes
Copy link
Collaborator

@cristiklein cristiklein left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup, the "would violate PodSecurity" warning is gone. Thank you!

@Xartos Xartos merged commit c789193 into main Nov 8, 2024
@Xartos Xartos deleted the fli/fix-demo-app-defaults branch November 8, 2024 13:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AlbinB97 AlbinB97 AlbinB97 approved these changes

@robinAwallace robinAwallace robinAwallace approved these changes

@cristiklein cristiklein cristiklein approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Xartos @cristiklein @robinAwallace @AlbinB97