-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Include policies for securing sandbox namespace #792
Include policies for securing sandbox namespace #792
Conversation
Hi @CosimoMichelagnoli. Thanks for your PR. I am @kingmakerbot.
Make sure this PR appears in the CrownLabs changelog, adding one of the following labels:
|
c178ff0
to
ac392c0
Compare
c2952b5
to
7778f20
Compare
c5734a1
to
1392acd
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few initial comments inline. Additionally:
- For the moment, I would personally drop the
crownlabs-policies-privilege-escalation
andcrownlabs-policies-run-as-non-root
policies, as they make sense, but require a modification of the deployment manifests (this could create problems when students experiment for the first time). - I would add the following policies (from the kyverno repo), as targeting definitely dangerous aspects:
- I would keep the information about the installation of kyverno in the
infrastructure/policies
folder, while moving the chart with the policies in apolicies
folder in the root of the repo, to separate the two things (as we will also need to customize the kyverno values file when installing it on CrownLabs).
infrastructure/policies/templates/require_pods_runAsNonRoot.yaml
Outdated
Show resolved
Hide resolved
infrastructure/policies/templates/require_pods_runAsNonRoot.yaml
Outdated
Show resolved
Hide resolved
08ce053
to
1a703df
Compare
1a703df
to
0d804df
Compare
We just corrected the PR following your comments. Hoping to have done everything right, how should we proceed with regards to the kyverno values to be customized? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A couple of additional comments inline. Moreover, please delete the empty values file for the moment (the one in the infrastructure folder).
0d804df
to
cdd2184
Compare
cdd2184
to
f13d30e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks almost ready to me. Just a few very minor comments inline. Additionally, you should fix the conflicts and double check all files to remove the trailing spaces at the end of the lines.
3f88b1f
to
39b87b6
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A couple of final nits inline. Please, generalize also the commit message, then we can go ahead and merge the PR.
Co-authored-by: Grazia D'Onghia <graziadonghia925@gmail.com>
39b87b6
to
48c42d0
Compare
/merge |
Description
This PR aims to apply some cluster-wide policies based on Kyverno framework. Three main security requirements:
These policies are applied only to sandbox namespaces.