-
Notifications
You must be signed in to change notification settings - Fork 321
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Backport of Support running with restricted PSA enforcement enabled (part 1) into release/1.2.x #2638
Merged
pglass
merged 1 commit into
release/1.2.x
from
backport/pglass/NET-185/basic-connect-test/truly-stable-perch
Jul 24, 2023
Merged
Backport of Support running with restricted PSA enforcement enabled (part 1) into release/1.2.x #2638
pglass
merged 1 commit into
release/1.2.x
from
backport/pglass/NET-185/basic-connect-test/truly-stable-perch
Jul 24, 2023
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hc-github-team-consul-core
force-pushed
the
backport/pglass/NET-185/basic-connect-test/truly-stable-perch
branch
2 times, most recently
from
July 24, 2023 16:06
ce61785
to
65cab23
Compare
pglass
force-pushed
the
backport/pglass/NET-185/basic-connect-test/truly-stable-perch
branch
from
July 24, 2023 16:43
65cab23
to
799b116
Compare
Support restricted PSA enforcement in a basic setup. This is enough to get a basic setup with ACLs and TLS working and an acceptance test passing (but does not update every component). On OpenShift, we have the option to set the security context or not. If the security context is unset, then it is set automatically by OpenShift SCCs. However, we prefer to set the security context to avoid useless warnings on OpenShift and to reduce the config difference between OpenShift and plain Kube. By default, OpenShift namespaces have the audit and warn PSA labels set to restricted, so we receive pod security warnings when deploying Consul to OpenShift even though the pods will be able to run. Helm chart changes: * Add a helper to the helm chart to define a "restricted" container security context (when pod security policies are not enabled) * Update the following container securityContexts to use the "restricted" settings (not exhaustive) - gateway-cleanup-job.yaml - gateway-resources-job.yaml - gossip-encryption-autogenerate-job.yaml - server-acl-init-cleanup-job.yaml - only if `.Values.server.containerSecurityContext.server.acl-init` is unset - server-acl-init-job.yaml - only if `.Values.server.containerSecurityContext.server.acl-init` is unset - server-statefulset.yaml: - the locality-init container receives the restricted context - the consul container receives the restricted context only if `.Values.server.containerSecurityContext.server` is unset - tls-init-cleanup-job.yaml - only if `.Values.server.containerSecurityContext.server.tls-init` is unset - tls-init-job.yaml - only if `.Values.server.containerSecurityContext.server.tls-init` is unset - webhook-cert-manager-deployment.yaml Acceptance test changes: * When `-enable-openshift` and `-enable-cni` are set, configure the CNI settings correctly for OpenShift. * Add the `-enable-restricted-psa-enforcement` test flag. When this is set, the tests assume the Consul namespace has restricted PSA enforcement enabled. The tests will deploy the CNI (if enabled) into the `kube-system` namespace. Compatible test cases will deploy applications outside of the Consul namespace. * Update the ConnectHelper to configure the NetworkAttachmentDefinition required to be compatible with the CNI on OpenShift. * Add fixtures for static-client and static-server for OpenShift. This is necessary because the deployment configs must reference the network attachment definition when using the CNI on OpenShift. * Update tests in the `acceptance/tests/connect` directory to either run or skip based on -enable-cni and -enable-openshift
pglass
force-pushed
the
backport/pglass/NET-185/basic-connect-test/truly-stable-perch
branch
from
July 24, 2023 16:46
799b116
to
143bc59
Compare
There are a couple of test failures that look like flakes. I tested those cases locally using the following commands, and they passed, so merging this.
And:
|
pglass
approved these changes
Jul 24, 2023
pglass
deleted the
backport/pglass/NET-185/basic-connect-test/truly-stable-perch
branch
July 24, 2023 18:58
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport
This PR is auto-generated from #2572 to be assessed for backporting due to the inclusion of the label backport/1.2.x.
🚨
The person who merged in the original PR is:
@pglass
This person should manually cherry-pick the original PR into a new backport PR,
and close this one when the manual backport PR is merged in.
The below text is copied from the body of the original PR.
Changes proposed in this PR:
Support restricted PSA enforcement in a basic setup. This is enough to get a basic setup working and an acceptance test passing (but does not update every component).
This enables running Consul in a basic configuration with PSA enforcement set to restricted on the namespace where Consul is deployed. (This requires deploying the CNI to a different privileged namespace).
On OpenShift, we have the option to set the security context or not. If the security context is unset, then it is set automatically by OpenShift SCCs. However, we prefer to set the security context to avoid useless warnings on OpenShift and to reduce the config difference between OpenShift and plain Kube. By default, OpenShift namespaces have the audit and warn PSA labels set to restricted, so we receive pod security warnings when deploying Consul to OpenShift even though the pods will be able to run.
Helm chart changes
Add a helper to define a "restricted" container security context (when pod security policies are not enabled)
Update the following container securityContexts to use the "restricted" settings (not exhaustive)
.Values.server.containerSecurityContext.server.acl-init
is unset.Values.server.containerSecurityContext.server.acl-init
is unset.Values.server.containerSecurityContext.server
is unset.Values.server.containerSecurityContext.server.tls-init
is unset.Values.server.containerSecurityContext.server.tls-init
is unsetAcceptance test changes
When
-enable-openshift
and-enable-cni
are set, configure the CNIsettings correctly for OpenShift, which must look like:
Add the
-enable-restricted-psa-enforcement
test flag. When this is set,the tests assume the Consul namespace has restricted PSA enforcement enabled.
The tests will deploy the CNI (if enabled) into the
kube-system
namespace.Compatible test cases will deploy applications outside of the Consul namespace.
Update the ConnectHelper to configure the NetworkAttachmentDefinition
required to be compatible with the CNI on OpenShift.
Add fixtures for static-client and static-server for OpenShift. This
is necessary because the deployment configs must reference the network
attachment definition when using the CNI on OpenShift.
Update tests in the
acceptance/tests/connect
directory to eitherrun or skip based on -enable-cni and -enable-openshift
How I've tested this PR:
crc start -m 18432
): https://developer.hashicorp.com/consul/tutorials/kubernetes/kubernetes-openshift-red-hat#crc-setup. You will need a non-latest version of CRC to get OpenShift 4.12. (otherwise you'll have 4.13+).acceptance
directory, and fix the CONSUL_LICENSE environment variable. You may want to increase the test timeout. The script configures three namespaces (cni, consul, app) and sets their PSA enforcement levels appropriately. Then it runs the testsScript
How I expect reviewers to test this PR:
Idk, run OpenShift and try the instructions above if you dare.
Checklist:
Overview of commits