helm chart: apply least required privileges in security contexts #3925
Conversation
k8s-ci-robot
added
release-note-none
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: rptaylor The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @rptaylor. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
the
size/XS
✅ Deploy Preview for kubernetes-sigs-kueue ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
|
/ok-to-test Should we add this as the default deployment for the manager pod of kueue in the kustomize? |
k8s-ci-robot
added
ok-to-test
Probably the different deployment options should be as consistent as possible with each other. |
Yea, I'd add this here |
| @@ -13,7 +13,7 @@ type: application | |||
| # This is the chart version. This version number should be incremented each time you make changes | |||
| # to the chart and its templates, including the app version. | |||
| # Versions are expected to follow Semantic Versioning (https://semver.org/) | |||
| version: 0.1.0 | |||
| version: 0.1.1 | |||
There was a problem hiding this comment.
Is this change required? If no please revert / move to a dedicated PR.
There was a problem hiding this comment.
Yes, an updated chart always needs an updated version, unless perhaps you have some CI that automatically takes care of incrementing the chart version? But the comment right there says "This version number should be incremented each time you make changes to the chart and its templates".
| @@ -29,8 +29,13 @@ controllerManager: | |||
| memory: 512Mi | |||
| podSecurityContext: | |||
| runAsNonRoot: true | |||
| seccompProfile: | |||
There was a problem hiding this comment.
Please also update the manager.yaml.
What type of PR is this?
/kind cleanup
What this PR does / why we need it:
Remove unneeded/unused privileges, to follow security best practices by default and enable installation of kueue on clusters that enforce PSS.
Which issue(s) this PR fixes:
Fixes #3850
Special notes for your reviewer:
Users can keep the same behaviour as before if they want by setting
Does this PR introduce a user-facing change?