This repository was archived by the owner on Apr 17, 2025. It is now read-only.
Security Context #181
Comments
|
Hi, thanks for this! I'm guessing you would like us to add these to HNC?
Would you be willing to make a pull request yourself? And is this urgent
for v1.0.x or can it wait until v1.1?
…On Tue, Apr 5, 2022 at 7:52 AM Roman Gherta ***@***.***> wrote:
Succesfully tested restricted namespace enforcing v1.23 and pod security
standards
apiVersion: v1
kind: Namespace
metadata:
labels:
control-plane: controller-manager
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/enforce-version: v1.23
name: hnc-system
Also security context for controller-manager
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
control-plane: controller-manager
name: hnc-controller-manager
namespace: hnc-system
spec:
replicas: 1
selector:
matchLabels:
control-plane: controller-manager
template:
metadata:
annotations:
prometheus.io/scrape: "true"
labels:
control-plane: controller-manager
spec:
containers:
- args:
- --webhook-server-port=9443
- --metrics-addr=:8080
- --max-reconciles=10
- --apiserver-qps-throttle=50
- --excluded-namespace=kube-system
- --excluded-namespace=kube-public
- --excluded-namespace=hnc-system
- --excluded-namespace=kube-node-lease
- --excluded-namespace=openebs
- --excluded-namespace=default
- --excluded-namespace=gitlab-kubernetes-agent
- --excluded-namespace=cilium-monitoring
- --enable-internal-cert-management
- --cert-restart-on-secret-refresh
command:
- /manager
image: gcr.io/k8s-staging-multitenancy/hnc-manager:v1.0.0
livenessProbe:
failureThreshold: 1
httpGet:
path: /healthz
port: 8081
periodSeconds: 10
name: manager
ports:
- containerPort: 9443
name: webhook-server
protocol: TCP
- containerPort: 8080
name: metrics
protocol: TCP
...
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
capabilities:
drop: ["ALL"]
...
...
—
Reply to this email directly, view it on GitHub
<#181>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AE43PZAM4FBWQFFV4RCORHDVDQSRFANCNFSM5SSP3QVQ>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
|
I think it can wait for the next release. I will create the pull request of course. |
|
Great, awesome!
…On Tue, Apr 5, 2022 at 11:34 AM Roman Gherta ***@***.***> wrote:
I think it can wait for the next release. I will create the pull request
of course.
—
Reply to this email directly, view it on GitHub
<#181 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AE43PZGXBFFO55AVVXGSSRLVDRMQNANCNFSM5SSP3QVQ>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Closed
rgherta
added a commit
to rgherta/hierarchical-namespaces
that referenced
this issue
Apr 5, 2022
Fixes kubernetes-retired#181 Tested: ok sigs.k8s.io/hierarchical-namespaces/internal/anchor 0.026s coverage: 14.9% of statements ok sigs.k8s.io/hierarchical-namespaces/internal/config 0.049s coverage: 18.8% of statements ok sigs.k8s.io/hierarchical-namespaces/internal/forest 0.043s coverage: 25.1% of statements ok sigs.k8s.io/hierarchical-namespaces/internal/hierarchyconfig 0.099s coverage: 23.8% of statements ok sigs.k8s.io/hierarchical-namespaces/internal/hncconfig 0.023s coverage: 25.7% of statements ok sigs.k8s.io/hierarchical-namespaces/internal/namespace 0.020s coverage: 59.8% of statements ok sigs.k8s.io/hierarchical-namespaces/internal/objects 0.018s coverage: 35.3% of statements ok sigs.k8s.io/hierarchical-namespaces/test/e2e 0.002s
Merged
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Uh oh!
There was an error while loading. Please reload this page.
Successfuly tested restricted namespace enforcing v1.23 and pod security standards
Also security context for controller-manager
The text was updated successfully, but these errors were encountered: