Skip to content

add securityContext for more containers with better fallbacks #410

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Apr 11, 2024
Merged

add securityContext for more containers with better fallbacks #410

merged 6 commits into from
Apr 11, 2024

Conversation

@cognifloyd
Copy link
Member

@cognifloyd cognifloyd commented Apr 10, 2024

This adds values to define the securityContext for:

  • custom st2packs images
  • extra_hooks jobs (container and pod)

Some of the init and jobs containers need more permissions to copy/modify files. The st2actionrunner pods are most likely to have the most permissive permissions, so default to that if the deployment/job-specific securityContext values are not defined.

@cognifloyd
add securityContext for more containers using st2actionrunner as fall…
96308f8 
…back for some

Some of the jobs and other utility containers need more permissions to modify files.
The st2actionrunner pods are most likely to have the most permissive permissions,
so default to that if the deployment/job-specific securityContext values are not defined.
@cognifloyd
more consistent securityContext
17e5fca
@cognifloyd
add changelog entry
819cda9
@cognifloyd cognifloyd added the enhancement New feature or request label Apr 10, 2024
@cognifloyd cognifloyd requested a review from a team April 10, 2024 20:20
@cognifloyd cognifloyd self-assigned this Apr 10, 2024
@pull-request-size pull-request-size bot added the size/M PR that changes 30-99 lines. Good size to review. label Apr 10, 2024
winem
winem approved these changes Apr 10, 2024
View reviewed changes
Copy link

@winem winem left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd usually prefer to fallback to the least privileged securityContext but the way you implemented it is a big improvement to the current state security wise and people who will make use of it will also be skilled enough to choose are more restricted context setting. Well done!

@pull-request-size pull-request-size bot added size/L PR that changes 100-499 lines. Requires some effort to review. and removed size/M PR that changes 30-99 lines. Good size to review. labels Apr 10, 2024
@cognifloyd
Copy link
Member Author

cognifloyd commented Apr 10, 2024

I figure the global securityContext and podSecurityContext would have the least privileged bit. But some things like st2web and st2actionrunner and some of the init containers needed a bit more than that in my env. I figured that the init containers are somewhat opaque to the helm chart user, and I didn't want to add a lot of extra values, so I opted to have those init containers fall back to the permissions that are most likely to allow them to function.

@cognifloyd cognifloyd merged commit 132583c into master Apr 11, 2024
@cognifloyd cognifloyd deleted the securityContextDefaults branch April 11, 2024 01:34
@cognifloyd cognifloyd added this to the v1.1.0 milestone Apr 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@winem winem winem approved these changes

Assignees

@cognifloyd cognifloyd

Labels

enhancement New feature or request size/L PR that changes 100-499 lines. Requires some effort to review.

Projects

None yet

Milestone

v1.1.0

Development

Successfully merging this pull request may close these issues.

3 participants

@cognifloyd @winem