Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

podSecurityAdmission Template #66

Open
orenr2301 opened this issue Dec 12, 2023 · 3 comments
Open

podSecurityAdmission Template #66

orenr2301 opened this issue Dec 12, 2023 · 3 comments
Assignees

Comments

@orenr2301
Copy link

@ckotzbauer

Following that issue: #39

I would like to suggest to add another template for securityPodAdmission
Since Kubernetes moved from PSP to PSA at version 1.25.1 and above, I believe addressing this to those who have clusters with higher versions and not a legacy version

I facing the same issue as mentioned issue here, and I also noticed it is still hard-coded at the template/chart level
at the latest version 5.3.1

Since it's related to the privilege escalation matter I would suggest making a dependency

podSecurityAdmission create: true hostPID: false hostIPC: false

{{- if 
.Values.podSecurityAdmission.create - here to handled
}}
apiVersion: {{ template 
"kured.psp.apiVersion"
 . }}
3
kind: PodSecurityAdmission - also changing kind 
4
metadata:
5
  name: {{ template 
"kured.fullname"
 . }}
6
  labels:
7
    {{- include 
"kured.labels"
 . | 

nindent
 4 }}
8
spec:
9
  privileged: true - need to be templated
10
  hostPID: true - need to be templated 
11
  allowedCapabilities: ['*'] - also to be templated 
12
  fsGroup:
13
    rule: RunAsAny
14
  runAsUser:
15
    rule: RunAsAny
16
  seLinux:
17
    rule: RunAsAny
18
  supplementalGroups:
19
    rule: RunAsAny
20
  volumes: ['*']
21
{{- end }}

As currently im having a 1.26.3 cluster version and has to make a manual change :(

If further details is needed from me than let me know

Regards,
orenr2301

@ckotzbauer ckotzbauer self-assigned this Dec 12, 2023
@evrardjp
Copy link
Contributor

@orenr2301 are you willing to propose a patch?

@evrardjp
Copy link
Contributor

Is this linked to #48

@orenr2301
Copy link
Author

@evrardjp Do you mean, that If I can commit my proposed changes for review? (creating a PR ?)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants