Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding privileged, allowPrivilegedEscalation and readOnlyRootFilesyst… #473

Merged
merged 3 commits into from
Apr 24, 2021
Merged

Adding privileged, allowPrivilegedEscalation and readOnlyRootFilesyst… #473

merged 3 commits into from
Apr 24, 2021

Conversation

phlukman
Copy link
Contributor

Adding privileged, allowPrivilegedEscalation and readOnlyRootFilesystem to container security context, also adjusting deployment.yaml

ISSUE TYPE
  • Feature Pull Request
SUMMARY

Need to add more granular control to the container's security context. I'd need to add these extra attributes as well as liveness and readiness probes. Is this is something that can be included in the code?
thank you !

@phlukman
Adding privileged, allowPrivilegedEscalation and readOnlyRootFilesyst…
9d7f0be 
…em to container security context, also adjusting deployment.yaml
@PrasadG193
Copy link
Collaborator

Thanks for the PR @phlukman, could you please provide the output of helm install botkube --dry-run --debug ./helm/botkube command?

@phlukman
Copy link
Contributor Author

hi @PrasadG193 , thanks for the feedback. Here is the output:

Error: unable to build kubernetes objects from release manifest: error validating "": error validating data: [ValidationError(Deployment.spec.template.spec.volumes[0].projected): unknown field "allowPrivilegeEscalation" in io.k8s.api.core.v1.ProjectedVolumeSource, ValidationError(Deployment.spec.template.spec.volumes[0].projected): unknown field "privileged" in io.k8s.api.core.v1.ProjectedVolumeSource, ValidationError(Deployment.spec.template.spec.volumes[0].projected): unknown field "readOnlyRootFilesystem" in io.k8s.api.core.v1.ProjectedVolumeSource, ValidationError(Deployment.spec.template.spec.volumes[0].projected): unknown field "runAsGroup" in io.k8s.api.core.v1.ProjectedVolumeSource, ValidationError(Deployment.spec.template.spec.volumes[0].projected): unknown field "runAsUser" in io.k8s.api.core.v1.ProjectedVolumeSource]
helm.go:81: [debug] error validating "": error validating data: [ValidationError(Deployment.spec.template.spec.volumes[0].projected): unknown field "allowPrivilegeEscalation" in io.k8s.api.core.v1.ProjectedVolumeSource, ValidationError(Deployment.spec.template.spec.volumes[0].projected): unknown field "privileged" in io.k8s.api.core.v1.ProjectedVolumeSource, ValidationError(Deployment.spec.template.spec.volumes[0].projected): unknown field "readOnlyRootFilesystem" in io.k8s.api.core.v1.ProjectedVolumeSource, ValidationError(Deployment.spec.template.spec.volumes[0].projected): unknown field "runAsGroup" in io.k8s.api.core.v1.ProjectedVolumeSource, ValidationError(Deployment.spec.template.spec.volumes[0].projected): unknown field "runAsUser" in io.k8s.api.core.v1.ProjectedVolumeSource]
helm.sh/helm/v3/pkg/kube.scrubValidationError
/private/tmp/helm-20210310-44407-1006esy/pkg/kube/client.go:594
helm.sh/helm/v3/pkg/kube.(*Client).Build
/private/tmp/helm-20210310-44407-1006esy/pkg/kube/client.go:187
helm.sh/helm/v3/pkg/action.(*Install).Run
/private/tmp/helm-20210310-44407-1006esy/pkg/action/install.go:256
main.runInstall
/private/tmp/helm-20210310-44407-1006esy/cmd/helm/install.go:242
main.newInstallCmd.func2
/private/tmp/helm-20210310-44407-1006esy/cmd/helm/install.go:120
github.com/spf13/cobra.(*Command).execute
/Users/brew/Library/Caches/Homebrew/go_mod_cache/pkg/mod/github.com/spf13/cobra@v1.1.1/command.go:850
github.com/spf13/cobra.(*Command).ExecuteC
/Users/brew/Library/Caches/Homebrew/go_mod_cache/pkg/mod/github.com/spf13/cobra@v1.1.1/command.go:958
github.com/spf13/cobra.(*Command).Execute
/Users/brew/Library/Caches/Homebrew/go_mod_cache/pkg/mod/github.com/spf13/cobra@v1.1.1/command.go:895
main.main
/private/tmp/helm-20210310-44407-1006esy/cmd/helm/helm.go:80
runtime.main
/usr/local/Cellar/go/1.16/libexec/src/runtime/proc.go:225
runtime.goexit
/usr/local/Cellar/go/1.16/libexec/src/runtime/asm_amd64.s:1371
unable to build kubernetes objects from release manifest
helm.sh/helm/v3/pkg/action.(*Install).Run
/private/tmp/helm-20210310-44407-1006esy/pkg/action/install.go:258
main.runInstall
/private/tmp/helm-20210310-44407-1006esy/cmd/helm/install.go:242
main.newInstallCmd.func2
/private/tmp/helm-20210310-44407-1006esy/cmd/helm/install.go:120
github.com/spf13/cobra.(*Command).execute
/Users/brew/Library/Caches/Homebrew/go_mod_cache/pkg/mod/github.com/spf13/cobra@v1.1.1/command.go:850
github.com/spf13/cobra.(*Command).ExecuteC
/Users/brew/Library/Caches/Homebrew/go_mod_cache/pkg/mod/github.com/spf13/cobra@v1.1.1/command.go:958
github.com/spf13/cobra.(*Command).Execute
/Users/brew/Library/Caches/Homebrew/go_mod_cache/pkg/mod/github.com/spf13/cobra@v1.1.1/command.go:895
main.main
/private/tmp/helm-20210310-44407-1006esy/cmd/helm/helm.go:80
runtime.main
/usr/local/Cellar/go/1.16/libexec/src/runtime/proc.go:225
runtime.goexit
/usr/local/Cellar/go/1.16/libexec/src/runtime/asm_amd64.s:1371

@PrasadG193
Copy link
Collaborator

@phlukman looks like helm install --dry-run command is failing, can you please fix that?

@phlukman
Copy link
Contributor Author

phlukman commented Apr 19, 2021
edited
Loading

hi @PrasadG193

Please find attached the output of the dry-run

output-json.md

@mergify mergify bot merged commit 6d7c338 into kubeshop:develop Apr 24, 2021
@phlukman phlukman deleted the feature/add-granular-security-context branch April 27, 2021 13:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@PrasadG193 PrasadG193 PrasadG193 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@phlukman @PrasadG193