Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: declare pod securityContext explicitly #1458

Merged
merged 4 commits into from
Aug 1, 2022
Merged

chore: declare pod securityContext explicitly #1458

merged 4 commits into from
Aug 1, 2022

Conversation

tolusha
Copy link
Contributor

@tolusha tolusha commented Jul 27, 2022
edited
Loading

Signed-off-by: Anatolii Bazko abazko@redhat.com

What does this PR do?

Declare securityContext explicitly for all pods managed by che-operator

      securityContext:
        capabilities:
          drop:
            - ALL
        allowPrivilegeEscalation: false
        runAsNonRoot: true

Screenshot/screencast of this PR

N/A

What issues does this PR fix or reference?

eclipse-che/che#21559

How to test this PR?

N/A

PR Checklist

As the author of this Pull Request I made sure that:

Reviewers

Reviewers, please comment how you tested the PR when approving it.

@tolusha
feat: ensure pod security standard
0783bb7 
Signed-off-by: Anatolii Bazko <abazko@redhat.com>
@openshift-ci
Copy link

openshift-ci bot commented Jul 27, 2022

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: tolusha

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tolusha tolusha marked this pull request as draft July 27, 2022 13:08
@tolusha
Set explicitly userId and groupId
9e694e8 
Signed-off-by: Anatolii Bazko <abazko@redhat.com>
@codecov
Copy link

codecov bot commented Jul 27, 2022
edited
Loading

Codecov Report

Merging #1458 (ad37118) into main (d6f5dbd) will decrease coverage by 0.05%.
The diff coverage is 43.75%.

@@            Coverage Diff             @@
##             main    #1458      +/-   ##
==========================================
- Coverage   60.41%   60.36%   -0.06%     
==========================================
  Files          74       74              
  Lines        6286     6275      -11     
==========================================
- Hits         3798     3788      -10     
- Misses       2118     2119       +1     
+ Partials      370      368       -2
Impacted Files Coverage Δ
pkg/deploy/deployment.go 56.38% <0.00%> (-2.51%) ⬇️
pkg/deploy/gateway/gateway.go 83.67% <75.00%> (+0.04%) ⬆️
pkg/deploy/dashboard/deployment_dashboard.go 98.74% <100.00%> (-0.07%) ⬇️
pkg/deploy/dev-workspace/dev_workspace_syncer.go 81.18% <100.00%> (+0.18%) ⬆️
...ploy/devfileregistry/devfileregistry_deployment.go 100.00% <100.00%> (ø)
...deploy/pluginregistry/pluginregistry_deployment.go 100.00% <100.00%> (ø)
pkg/deploy/postgres/postgres_deployment.go 94.07% <100.00%> (+2.77%) ⬆️
pkg/deploy/server/server_deployment.go 81.68% <100.00%> (+1.03%) ⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us.

@tolusha tolusha marked this pull request as ready for review July 27, 2022 20:03
@tolusha
fixup
9e22211 
Signed-off-by: Anatolii Bazko <abazko@redhat.com>
@tolusha
Copy link
Contributor Author

tolusha commented Jul 28, 2022

on OpenShift :

pods "che-operator-d4bdfcc4d-" is forbidden: unable to validate against
any security context constraint: [provider "anyuid": Forbidden: not
usable by user or serviceaccount, provider restricted:
.spec.securityContext.fsGroup: Invalid value: []int64{1724}: 1724 is not
an allowed group, spec.containers[0].securityContext.runAsUser: Invalid
value: 1724: must be in the ranges: [1000400000, 1000409999], provider
"nonroot": Forbidden: not usable by user or serviceaccount, provider
"hostmount-anyuid": Forbidden: not usable by user or serviceaccount,
provider "machine-api-termination-handler": Forbidden: not usable by
user or serviceaccount, provider "hostnetwork": Forbidden: not usable by
user or serviceaccount, provider "hostaccess": Forbidden: not usable by
user or serviceaccount, provider "node-exporter": Forbidden: not usable
by user or serviceaccount, provider "privileged": Forbidden: not usable
by user or serviceaccount

@tolusha
fixup
ad37118 
Signed-off-by: Anatolii Bazko <abazko@redhat.com>
@tolusha tolusha changed the title feat: ensure pod security standard chore: declare explicitly pod securityContext Jul 29, 2022
@tolusha tolusha changed the title chore: declare explicitly pod securityContext chore: declare pod securityContext explicitly Jul 29, 2022
@tolusha tolusha merged commit 152c821 into main Aug 1, 2022
@tolusha tolusha deleted the 21559 branch August 1, 2022 07:00
@che-bot che-bot added this to the 7.52 milestone Aug 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nickboldt nickboldt Awaiting requested review from nickboldt

@AndrienkoAleksandr AndrienkoAleksandr Awaiting requested review from AndrienkoAleksandr

@flacatus flacatus Awaiting requested review from flacatus

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
7.52
Development

Successfully merging this pull request may close these issues.
2 participants
@tolusha @che-bot