Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

config security context #6052

Merged
merged 1 commit into from
Jan 17, 2025
Merged

config security context #6052

merged 1 commit into from
Jan 17, 2025

Conversation

zhzhuang-zju
Copy link
Contributor

@zhzhuang-zju zhzhuang-zju commented Jan 16, 2025
edited
Loading

What type of PR is this?
/kind cleanup

What this PR does / why we need it:
A security context defines privilege and access control settings for a Pod or Container. More details can refer to https://www.dynatrace.com/engineering/blog/kubernetes-security-part-3-security-context/

This PR restricted the component's security context, including,

  • set allowPrivilegeEscalation to false
  • set privileged to false,
  • configured the seccompProfile to RuntimeDefault

Regarding runAsUser and runAsNonRoot, unfortunately, imposing these restrictions resulted in abnormal functionality of the component, so they could not be applied. As for readOnlyRootFilesystem, implementing this would reduce convenience during troubleshooting. Given that the manifests files maintained under the artifacts directory are primarily used by developers, this PR decides not to set this option for now.

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:
For other installation methods, this configuration can be adapted later, and it should provide users with the ability to customize security context.

Does this PR introduce a user-facing change?:

@karmada-bot karmada-bot added the kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. label Jan 16, 2025
@karmada-bot karmada-bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Jan 16, 2025
@codecov-commenter
Copy link

codecov-commenter commented Jan 16, 2025
edited
Loading

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 48.36%. Comparing base (253dc79) to head (3e9ef29).
Report is 16 commits behind head on master.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #6052   +/-   ##
=======================================
  Coverage   48.36%   48.36%           
=======================================
  Files         666      666           
  Lines       54831    54842   +11     
=======================================
+ Hits        26519    26526    +7     
- Misses      26593    26596    +3     
- Partials     1719     1720    +1
Flag Coverage Δ
unittests 48.36% <ø> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@RainbowMango RainbowMango added this to the v1.13 milestone Jan 16, 2025
@zhzhuang-zju
config security context
3e9ef29 
Signed-off-by: zhzhuang-zju <[email protected]>
RainbowMango
RainbowMango approved these changes Jan 17, 2025
View reviewed changes
Copy link
Member

@RainbowMango RainbowMango left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@karmada-bot karmada-bot added the lgtm Indicates that a PR is ready to be merged. label Jan 17, 2025
@karmada-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: RainbowMango

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@karmada-bot karmada-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 17, 2025
@karmada-bot karmada-bot merged commit 4f86921 into karmada-io:master Jan 17, 2025
21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@RainbowMango RainbowMango RainbowMango approved these changes

@chaunceyjiang chaunceyjiang Awaiting requested review from chaunceyjiang

Assignees

@RainbowMango RainbowMango

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm Indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
v1.13
Development

Successfully merging this pull request may close these issues.
4 participants
@zhzhuang-zju @codecov-commenter @karmada-bot @RainbowMango