Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: make zarf-agent pods comply with offical restricted pod security standard #3036

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

feat: make zarf-agent pods comply with offical restricted pod security standard #3036

wants to merge 5 commits into from

Conversation

Ansible-man
Copy link

Comply with k8s restricted pod security standard

Description

Adds security context to zarf-agent to ensure compliance with Kubernetes restricted pod security standard used in high security environments.
...

Related Issue

Fixes #2932

Relates to #

Checklist before merging

@Ansible-man Ansible-man requested review from a team as code owners September 26, 2024 03:08
@netlify Netlify
Copy link

netlify bot commented Sep 26, 2024
edited
Loading

Deploy Preview for zarf-docs canceled.

Name Link
🔨 Latest commit 4a4a150
🔍 Latest deploy log https://app.netlify.com/sites/zarf-docs/deploys/671b7e81ea2e4e0008493308

@Ansible-man
Copy link
Author

Made an non-impactful change to fix my commit not being verified as seen in commit #2

@AustinAbro321
Copy link
Contributor

@Ansible-man thanks for making this. Could you also fix the dco error by following these instructions

@codecov Codecov
Copy link

codecov bot commented Sep 26, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

@AustinAbro321 AustinAbro321 changed the title Add security context to zarf-agent in order to comply with offical re… feat: add security context to zarf-agent in order to comply with offical restricted pod security standard Sep 26, 2024
@AustinAbro321 AustinAbro321 changed the title feat: add security context to zarf-agent in order to comply with offical restricted pod security standard feat: make zarf-agent pods comply with offical restricted pod security standard Sep 26, 2024
AustinAbro321
AustinAbro321 previously approved these changes Sep 26, 2024
View reviewed changes
@Ansible-man
Copy link
Author

@AustinAbro321 I should be able to do that tomorrow at some point. Thank you and happy to help where I can!

@Miaoxiang-philips
Copy link
Contributor

@AustinAbro321 I should be able to do that tomorrow at some point. Thank you and happy to help where I can!

Hi @AustinAbro321 It seems that the DCO problem has not been solved, do you need help?

@Ansible-man
Copy link
Author

Ansible-man commented Oct 10, 2024 via email

@phillebaba
Copy link
Member

@Ansible-man could you resolve DCO?

@phillebaba
Copy link
Member

Part of #2757

@Miaoxiang-philips
Copy link
Contributor

Miaoxiang-philips commented Oct 12, 2024
edited
Loading

Is there still something I need to do here?

@Ansible-man You can follow the prompts to execute the commands

image

@schristoff
Copy link
Contributor

Hey @Ansible-man - we really appreciate this PR. If you could follow the steps outlined above we can get this merged. If you're unable to do that within the next week, we will have to close this and merge this with a signed DCO under someone else.

Thanks!

@Ansible-man
Copy link
Author

Ansible-man commented Oct 18, 2024 via email

Cade Thomas and others added 3 commits October 19, 2024 00:50
@Ansible-man
Add security context to zarf-agent in order to comply with offical re…
09bfd04 
…stricted PSS

Signed-off-by: Cade Thomas <cadethomas23@gmail.com>
@Ansible-man
Add security context to zarf-agent in order to comply with offical re…
22afbea 
…stricted PSS

Signed-off-by: Cade Thomas <cadethomas23@gmail.com>
@schristoff @Ansible-man
fix: nightly by removing logline no longer printed (zarf-dev#3038)
d30d04a 
Signed-off-by: schristoff <28318173+schristoff@users.noreply.github.com>
Signed-off-by: Cade Thomas <cadethomas23@gmail.com>
@Ansible-man
Copy link
Author

Sorry that took so long @schristoff . I just got around to reading everything. If that did not fix it let me know and I will get right back on it. Looking forward to helping out more in the future

@phillebaba
Copy link
Member

@Ansible-man could you rebase?

@Ansible-man
Copy link
Author

Ansible-man commented Oct 22, 2024 via email

@phillebaba
Copy link
Member

@Ansible-man there is a conflict with a change done in main which needs to be resolved before we can merge.

@Ansible-man
Copy link
Author

Ansible-man commented Oct 23, 2024 via email

@Ansible-man
Copy link
Author

Let me know if that resolved it

phillebaba
phillebaba reviewed Oct 25, 2024
View reviewed changes
src/test/nightly/ecr_publish_test.go
@@ -61,6 +61,8 @@ func TestECRPublishing(t *testing.T) {
// Ensure we get a warning when trying to inspect the online published package
stdOut, stdErr, err = e2e.Zarf(t, "package", "inspect", upstreamPackageURL, keyFlag, "--sbom-out", tmpDir, "--skip-signature-validation")
require.NoError(t, err, stdOut, stdErr)
require.Contains(t, stdErr, "Validating SBOM checksums")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this being added to the test? Can we remove this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@phillebaba phillebaba phillebaba left review comments

@AustinAbro321 AustinAbro321 AustinAbro321 left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Zarf overwrites namespace labels required when deploying to env with restricted pod security standard
5 participants
@Ansible-man @AustinAbro321 @Miaoxiang-philips @phillebaba @schristoff