-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Define SecurityContext
for container
components
#923
Comments
There are two solutions for this. Or we leave the responsibility of correctly setting the |
Closing issue as I believe users can define SecurityContext in the latest devfile schema version. If this is incorrect we can reopen it. |
You can by overriding through the attributes: https://devfile.io/docs/2.2.2/overriding-pod-and-container-attributes#container-overrides But the schema spec does not contain |
With the introduction of Pod Security Admission in Kubernetes 1.25 and with OpenShift enabling this by default in 4.11 (https://cloud.redhat.com/blog/pod-security-admission-in-openshift-4.11)
Devfile should allow users to define
SecurityContext
forcontainer
components.The
SecurityContext
is required to pass the checks performed by PodSecurity Admission controller.For example, in OCP 4.11 the "restricted" policy is audited. That means that every container started without proper
SecurityContext
will be recorded will produce a warning and will be recorded to the audit log.The containers without proper
SecurityContext
will be even more problematic with future OCP versions as they plan to change the default from "audit" to "enforce". This will mean that every container that doesn't meet the "restricted" requirements will be rejected.The text was updated successfully, but these errors were encountered: