Skip to content

Add Seccomp profile to deployment #446

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
May 6, 2023
Merged

Add Seccomp profile to deployment #446

merged 3 commits into from
May 6, 2023

Conversation

WesselAtWork
Copy link
Contributor

Description of changes:

I have recently tried to leveraging k8s built in Enforce Pod Security Standards with Namespace Labels feature.

When I tried to install one of the controllers I noticed warnings on the restricted profile.
This I found strange because I checked beforehand and I saw you were already dropping all the capabilities:

code-generator/templates/helm/templates/deployment.yaml

Lines 112 to 118 in 811e30b

securityContext:
allowPrivilegeEscalation: false
privileged: false
runAsNonRoot: true
capabilities:
drop:
- ALL

And hard setting the host env:

code-generator/templates/helm/templates/deployment.yaml

Lines 130 to 132 in 811e30b

hostIPC: false
hostNetwork: false
hostPID: false

It looks like it's just missing the scomp profile!

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@ack-prow ack-prow bot requested review from a-hilaly and RedbackThomson May 5, 2023 13:21
@ack-prow ack-prow bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label May 5, 2023
@ack-prow
Copy link

ack-prow bot commented May 5, 2023

Hi @WesselAtWork. Thanks for your PR.

I'm waiting for a aws-controllers-k8s member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@WesselAtWork
Copy link
Contributor Author

I added it to the deployment template for Helm and the Config Folder.
Let me know if I missed anywhere else

jaypipes
jaypipes approved these changes May 5, 2023
View reviewed changes
Copy link
Collaborator

@jaypipes jaypipes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great stuff, thank you @WesselAtWork! :)

@jaypipes
Copy link
Collaborator

jaypipes commented May 5, 2023

/lgtm

@ack-prow ack-prow bot added the approved label May 5, 2023
@ack-prow ack-prow bot added the lgtm Indicates that a PR is ready to be merged. label May 5, 2023
@ack-prow
Copy link

ack-prow bot commented May 5, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jaypipes, WesselAtWork

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jaypipes
Copy link
Collaborator

jaypipes commented May 6, 2023

/retest

@ack-prow ack-prow bot merged commit 9e2542c into aws-controllers-k8s:main May 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jaypipes jaypipes jaypipes approved these changes

@a-hilaly a-hilaly Awaiting requested review from a-hilaly

@RedbackThomson RedbackThomson Awaiting requested review from RedbackThomson

Assignees

@jaypipes jaypipes

Labels
approved lgtm Indicates that a PR is ready to be merged. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@WesselAtWork @jaypipes