Updating GOV.UK Generic chart to be PSS restricted compliant. #1860
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Adding seccomp defaults drop all capabilities within running containers Currently deploying application using the current chart will give the following warnings results: Warning: would violate PodSecurity "restricted:latest": unrestricted capabilities (containers "app", "nginx" must set securityContext.capabilities.drop=["ALL"]) deployment.apps/transition-pss created Warning: would violate PodSecurity "restricted:latest": unrestricted capabilities (container "worker" must set securityContext.capabilities.drop=["ALL"]) deployment.apps/transition-pss-worker created Warning: would violate PodSecurity "restricted:latest": unrestricted capabilities (containers "copy-assets-for-upload", "upload-assets" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or containers "copy-assets-for-upload", "upload-assets" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") job.batch/transition-pss-upload-assets created Warning: would violate PodSecurity "restricted:latest": unrestricted capabilities (container "dbmigrate" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or container "dbmigrate" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") After the applied changes the results are: deployment.apps/transition-pss created deployment.apps/transition-pss-worker created job.batch/transition-pss-upload-assets created job.batch/transition-pss-dbmigrate created Warnings are corrected. All apps will need to be tested to ensure that the chnages do not cause any issues - i have tested one app which came up without errors, neverthless this will need to be rolled out to Integration and staging to discover issues.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adding:
Currently deploying application using the current chart will give the following warnings results:
After the applied changes the results are:
Warnings are corrected.
All apps will need to be tested to ensure that the changes do not cause any issues.
I have tested one app which came up without errors, nevertheless this will need to be rolled out to Integration and staging to discover issues.
#1883