Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Checks should generate resources (Deployments/Daemonset/Pods) conforming to PSA #1243

Open
peschmae opened this issue Apr 13, 2024 · 1 comment
Open

Checks should generate resources (Deployments/Daemonset/Pods) conforming to PSA #1243

peschmae opened this issue Apr 13, 2024 · 1 comment
Labels
feature request A request for a specific feature to be added to Kuberhealthy Stale

Comments

@peschmae
Copy link
Contributor

peschmae commented Apr 13, 2024
edited

Describe the feature you would like and why you want it
Currently the Deployment & Daemonset checks, generate minimal or no securityContext at all, when spawning the set of resources to check.

eg. Deployment check: https://github.com/kuberhealthy/kuberhealthy/blob/master/cmd/deployment-check/deployment.go#L89
Daemonset check: https://github.com/kuberhealthy/kuberhealthy/blob/master/cmd/daemonset-check/run_check.go#L394

Even though both of those checks, could easily run in a namespace restricted with PSA restricted, currently they require the namespace to be set to privileged since they don't set all the required values to conform to the PodSecurityAdmission policies.

Additional context
While this might not be possible for all checks (eg. I'm not sure about the DNS check, but even that should be able to run with capabilities.drop = ALL)
@peschmae peschmae added the feature request A request for a specific feature to be added to Kuberhealthy label Apr 13, 2024
@peschmae peschmae changed the title Checks should Checks should generate resources (Deployments/Daemonset/Pods) conforming to PSA Apr 13, 2024
@github-actions GitHub Actions
Copy link

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment on the issue or this will be closed in 15 days.

@github-actions github-actions bot added the Stale label May 14, 2024
@peschmae peschmae mentioned this issue May 14, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request A request for a specific feature to be added to Kuberhealthy Stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@peschmae