Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support PodSecurityPolicy #177

Merged
merged 12 commits into from
Jun 26, 2020
Merged

Support PodSecurityPolicy #177

merged 12 commits into from
Jun 26, 2020

Conversation

lawliet89
Copy link
Contributor

@lawliet89 lawliet89 commented Jan 14, 2020
edited
Loading 

$ bats test/unit/injector-psp*
 ✓ injector/PodSecurityPolicy-Role: PodSecurityPolicy-Role not enabled by default
 ✓ injector/PodSecurityPolicy-Role: enable with injector.enabled and global.pspEnable
 ✓ injector/PodSecurityPolicy-Role: disable with global.enabled
 ✓ injector/PodSecurityPolicy-RoleBinding: PodSecurityPolicy-RoleBinding not enabled by default
 ✓ injector/PodSecurityPolicy-RoleBinding: enable with injector.enabled and global.pspEnable
 ✓ injector/PodSecurityPolicy-RoleBinding: disable with global.enabled
 ✓ injector/PodSecurityPolicy: PodSecurityPolicy not enabled by default
 ✓ injector/PodSecurityPolicy: enable with injector.enabled and global.pspEnable
 ✓ injector/PodSecurityPolicy: disable with global.enabled

9 tests, 0 failures

$ bats test/unit/server-psp*
 ✓ server/PSP-Role: PSP-Role not enabled by default
 ✓ server/PSP-Role: PSP-Role can be enabled
 ✓ server/PSP-Role: disable with global.enabled false
 ✓ server/PSP-Role: disable with global.pspEnable false
 ✓ server/PSP-Role: disable with global.enabled false global.pspEnable.enabled false
 ✓ server/PSP-RoleBinding: PSP-RoleBinding not enabled by default
 ✓ server/PSP-RoleBinding: PSP-RoleBinding can be enabled
 ✓ server/PSP-RoleBinding: disable with global.enabled false
 ✓ server/PSP-RoleBinding: disable with global.pspEnable false
 ✓ server/PSP-RoleBinding: disable with global.enabled false global.pspEnable.enabled false
 ✓ server/PodSecurityPolicy: PodSecurityPolicy not enabled by default
 ✓ server/PodSecurityPolicy: PodSecurityPolicy can be enabled
 ✓ server/PodSecurityPolicy: disable with global.enabled false
 ✓ server/PodSecurityPolicy: disable with global.pspEnable false
 ✓ server/PodSecurityPolicy: disable with global.enabled false global.pspEnable.enabled false
 ✓ server/PodSecurityPolicy: PodSecurityPolicy allows PVC by default
 ✓ server/PodSecurityPolicy: PodSecurityPolicy allows PVC with dataStorage
 ✓ server/PodSecurityPolicy: PodSecurityPolicy does not allow PVC without dataStorage

18 tests, 0 failures

@tvoran tvoran added chart Area: helm chart enhancement New feature or request labels Mar 4, 2020
@lawliet89
Copy link
Contributor Author

@tvoran and @jasonodonnell could you review this please?

@tvoran tvoran self-requested a review May 12, 2020 20:19
@jasonodonnell
Copy link
Contributor

@lawliet89 We're taking a look at this PR and will get this merged soon.

jasonodonnell
jasonodonnell reviewed May 20, 2020
View reviewed changes
templates/server-psp.yaml Outdated
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
allowedCapabilities:
- IPC_LOCK
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be now not needed as per #198

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have removed this.

tvoran
tvoran reviewed May 20, 2020
View reviewed changes
templates/injector-psp-rolebinding.yaml Outdated Show resolved Hide resolved
templates/server-psp-rolebinding.yaml Outdated Show resolved Hide resolved
@lawliet89 @tvoran
Apply suggestions from code review
745a94f 
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
@tvoran tvoran added this to the 0.6.0 milestone May 22, 2020
tvoran
tvoran reviewed May 22, 2020
View reviewed changes
templates/injector-psp.yaml Outdated Show resolved Hide resolved
@jasonodonnell jasonodonnell modified the milestones: v0.6.0, v0.7.0 Jun 3, 2020
tvoran
tvoran reviewed Jun 5, 2020
View reviewed changes
templates/injector-psp.yaml Outdated Show resolved Hide resolved
@lawliet89
Copy link
Contributor Author

@tvoran Both strings and objects are supported.

tvoran
tvoran reviewed Jun 24, 2020
View reviewed changes
Copy link
Member

@tvoran tvoran left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, added some questions about the tests.

test/unit/server-psp-role.bats Outdated Show resolved Hide resolved
test/unit/server-psp-rolebinding.bats Outdated Show resolved Hide resolved
test/unit/server-psp.bats Outdated Show resolved Hide resolved
values.yaml Outdated Show resolved Hide resolved
lawliet89 and others added 2 commits June 25, 2020 08:52
@lawliet89 @tvoran
Update values.yaml
cfbdbbf 
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
@lawliet89
Clear up duplicate tests
cba65e5
@tvoran tvoran merged commit adf5bf6 into hashicorp:master Jun 26, 2020
@jasonodonnell jasonodonnell mentioned this pull request Aug 24, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonodonnell jasonodonnell jasonodonnell left review comments

@tvoran tvoran tvoran approved these changes

Assignees
No one assigned
Labels
chart Area: helm chart enhancement New feature or request
Projects
None yet
Milestone
v0.7.0
Development

Successfully merging this pull request may close these issues.
3 participants
@lawliet89 @jasonodonnell @tvoran