-
Notifications
You must be signed in to change notification settings - Fork 49
Conversation
d37e78f
to
982eba1
Compare
assets/lokomotive-kubernetes/bootkube/resources/charts/kubernetes/templates/psp-restricted.yaml
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wait, now that I think about it, shouldn't privileged
be renamed to zz-privileged
, so it is being picked up as a last effort?
d449faa
to
c88cfb4
Compare
CI is failing, can you retrigger? |
I have a hunch that openebs fails and am currently testing this issue locally. |
@surajssd shouldn't |
No, it will cause problems. So right now any workload in the cluster has at least one policy that it can go through i.e. Lines 60 to 72 in 9bd75f0
Now imagine a workload which has it's own PSP. Now that workload is eligible for two PSPs one is its own and another is So there are two ways to solve this problem either we remove the aforementioned binding: Lines 69 to 72 in 9bd75f0
By removing this binding we withdraw the ability of an application workload to work out of the box in Lokomotive, especially those that don't ship PSP. So we will have to create Rolebinding as needed. That is provide kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: restricted-psp-mywebapp
namespace: mywebapp
roleRef:
kind: ClusterRole
name: restricted-psp
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: default
namespace: mywebapp OR we solve the problem by making sure the ordering is correct in the PSP names like it is done in this PR. Now we have to make a choice to be specific a trade off between usability and security here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I got one more idea.
@@ -1,7 +1,7 @@ | |||
apiVersion: policy/v1beta1 | |||
kind: PodSecurityPolicy | |||
metadata: | |||
name: restricted | |||
name: zz-restricted |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we could name it to zz-minimal
, so then it goes before zz-privileged
?
7979d51
to
4b76f92
Compare
07ad278
to
cc28d84
Compare
This commit renames the PSP `restricted` to `zz-minimal`, so that it is the last one in the list of PSPs but before the `privileged` PSP. `restricted` is applicable to all the workloads in the cluster. If a component already ships a PSP then that specific PSP should be the one that is applied to the workload, not the `restricted` PSP. So keeping it last in the list makes sure that pod is not filtered under `restricted` PSP. This was discovered when `restricted` PSP was interfering with the `rook` PSP. Signed-off-by: Suraj Deshmukh <suraj@kinvolk.io>
This commit renames the PSP `privileged` to `zz-privileged`. This is done in order to avoid the situation where `privileged` PSP is picked up accidently even though a specific, small scoped (in terms of permissions) PSP exists. Signed-off-by: Suraj Deshmukh <suraj@kinvolk.io>
052b0f3
to
2d2e275
Compare
2d2e275
to
0999143
Compare
Use policy `zz-privileged` and not `privileged`. Signed-off-by: Suraj Deshmukh <suraj@kinvolk.io>
0999143
to
2e35e94
Compare
restricted
to zz-restricted
restricted
to zz-minimal
This PR renames the PSP
restricted
tozz-minimal
, so that it is the last one in the list of PSPs but before theprivileged
PSP.restricted
is applicable to all the workloads in the cluster. If a component already ships a PSP then that specific PSP should be the one that is applied to the workload, not therestricted
PSP. So keeping it last in the list makes sure that pod is not filtered underrestricted
PSP. This was discovered whenrestricted
PSP was interfering with therook
PSP.This PR renames the PSP
privileged
tozz-privileged
. This is done in order to avoid the situation whereprivileged
PSP is picked up accidently even though a specific, small scoped (in terms of permissions) PSP exists.openebs: Rename PSP usage. Use policy
zz-privileged
and notprivileged
.