New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make the default security policies of kueue
compatible with the restricted
policy
#2105
base: main
Are you sure you want to change the base?
Make the default security policies of kueue
compatible with the restricted
policy
#2105
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: rhaps0dy The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Hi @rhaps0dy. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
✅ Deploy Preview for kubernetes-sigs-kueue ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
@@ -19,6 +19,11 @@ controllerManager: | |||
tag: v0.8.0 | |||
# This should be set to 'IfNotPresent' for released version | |||
pullPolicy: IfNotPresent | |||
containerSecurityContext: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if it can perfectly run in a restricted environment... let's not make it configurable?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, that seems fine. I thought folks would want to make it even more restricted, (e.g. using readOnlyRootFilesystem: true
, which I haven't bothered to do here, or a more restrictive seccompProfile
).
I'm happy to just change it and leave it unconfigurable too.
Off the top of your head, do you know which directory/ies kueue
tries to write to? (so we can make them emptyDir
s and restrict read/write of root FS). No worries if it's too complicated to just write, I asked in case it's easy for you.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't write to disk at all and I don't think we intend to. kueue is pretty stateless.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, I'll look into why readOnlyRootFilesystem: true
failed on my cluster then.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Uhmm... I think I remember seeing that the cert logic writes to disk.
/ok-to-test |
cc @Gekko0114 in case you have an opinion on whether to make the security profile configurable. |
What type of PR is this?
/kind feature
What this PR does / why we need it:
Many Kubernetes cluster enforce security standards on the pods that run. Kueue can run perfectly well under the
restricted
standard, so we should comply with it by default.This PR makes the default
securityContext
settings for the Kueue controller manager pods and containers be compliant with the restricted security standard.Which issue(s) this PR fixes:
None
Special notes for your reviewer:
Does this PR introduce a user-facing change?