Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Match k8s recommended restricted PSP. #4439

Merged
merged 1 commit into from
Jan 5, 2022
Merged

Match k8s recommended restricted PSP. #4439

merged 1 commit into from
Jan 5, 2022

Conversation

wlynch
Copy link
Member

@wlynch wlynch commented Dec 22, 2021
edited
Loading

Changes

This updates the tekton-pipelines PodSecurityPolicy to add missing
values included in the k8s recommended restricted policy - https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted (see restricted-psp.yaml for example).

  • Adds seccomp and apparmor annotations.
  • Drops all capabilities.
  • Restricts GID to non-zero (I think this might be redundant with
    supplemenalGroups, but including just in case)

/kind feature

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

  • Docs included if any changes are user facing
  • Tests included if any functionality added or changed
  • Follows the commit message standard
  • Meets the Tekton contributor standards (including
    functionality, content, code)
  • Release notes block below has been filled in or deleted (only if no user facing changes)

Release Notes

tekton-pipelines PodSecurityPolicy now drops all capabilities and enables default
seccomp/apparmor annotations. This should not affect user Runs unless you are
running in the tekton-pipelines namespace (which we generally do not recommend).

@tekton-robot tekton-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. labels Dec 22, 2021
@tekton-robot tekton-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Dec 22, 2021
@wlynch
Match k8s recommended restricted PSP.
0f98bc5 
This updates the tekton-pipelines PodSecurityPolicy to add missing
values included in the k8s recommended `restricted` policy - https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted

- Adds seccomp and apparmor annotations.
- Drops all capabilities.
- Restricts GID to non-zero (I think this might be redundant with
supplemenalGroups, but including just in case)
@dlorenc
Copy link
Contributor

dlorenc commented Dec 23, 2021

Nice!

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Dec 23, 2021
@dlorenc dlorenc mentioned this pull request Dec 27, 2021
Closed
@jerop
Copy link
Member

jerop commented Jan 5, 2022

/assign

@tekton-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jerop

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 5, 2022
@tekton-robot tekton-robot merged commit 075eb4a into tektoncd:main Jan 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jerop jerop jerop approved these changes

@imjasonh imjasonh Awaiting requested review from imjasonh

@vdemeester vdemeester Awaiting requested review from vdemeester

Assignees

@dlorenc dlorenc

@jerop jerop

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@wlynch @dlorenc @jerop @tekton-robot