-
Notifications
You must be signed in to change notification settings - Fork 39.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PodSecurityPolicies for addons #55509
Conversation
/cc @liggitt |
@@ -58,26 +58,12 @@ spec: | |||
- /heapster | |||
- --source=kubernetes.summary_api:'' | |||
- --sink=gcm | |||
volumeMounts: | |||
- name: ssl-certs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does heapster not need to talk to googleapis.com?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With this change heapster uses the SSL certs that are built into the container, rather than those on the host. My understanding is that the certificates in the container are sufficient that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(To clarify - usually this practice of mounting the host certificates is only needed for FROM scratch
containers. However, heapster copies in the host certs when it's built, so this isn't necessary).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how long are those valid for?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
$ openssl x509 -in heapster/92474ba266e5a063e88a4cc5f136d5bac305cb75538b4086a73c1ac27d834ce6/etc/ssl/certs/ca-certificates.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 6828503384748696800 (0x5ec3b7a6437fa4e0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=ACCVRAIZ1, OU=PKIACCV, O=ACCV, C=ES
Validity
Not Before: May 5 09:37:37 2011 GMT
Not After : Dec 31 09:37:37 2030 GMT
Subject: CN=ACCVRAIZ1, OU=PKIACCV, O=ACCV, C=ES
...
Looks like that shouldn't be a problem, as long as they aren't revoked.
That said, this is a a common requirement for containers. Maybe we need to build a solution that doesn't require a HostPath volume...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, ya. I agree.
/lgtm |
For the heapster changes |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: crassirostris, mikedanese, tallclair Associated issue: 43538 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
Automatic merge from submit-queue (batch tested with PRs 54602, 54877, 55243, 55509, 55128). If you want to cherry-pick this change to another branch, please follow the instructions here. |
…509-upstream-release-1.8 Automatic merge from submit-queue. Automated cherry pick of #55509 upstream release 1.8 Cherry pick of #55509 on release-1.8. #55509: PodSecurityPolicies for addons Justification: configuration-only changes to add PodSecurityPolicies for cluster addons, which is required for enabling the controller. ```release-note - Add PodSecurityPolicies for cluster addons - Remove SSL cert HostPath volumes from heapster addons ```
What this PR does / why we need it:
podsecuritypolicies
subdirectory).Which issue(s) this PR fixes:
#43538
Release note: