Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: add missing seccompProfile to comply with restricted policy #1493

Merged
merged 3 commits into from
Aug 29, 2024
Merged

fix: add missing seccompProfile to comply with restricted policy #1493

merged 3 commits into from
Aug 29, 2024

Conversation

hamidos
Copy link
Contributor

@hamidos hamidos commented Aug 2, 2024

What type of PR is this?

/kind bug

What does this PR do / why we need it:

Add missing seccompProfile to comply with restricted policy

Have you updated the necessary documentation?

  • Documentation update is required by this PR.
  • Documentation has been updated.

Which issue(s) this PR fixes:

#1492

@hamidos hamidos force-pushed the master branch 2 times, most recently from 1f8317f to 00fe2c9 Compare August 5, 2024 13:02
@svghadi
Copy link
Collaborator

svghadi commented Aug 8, 2024

Hi @hamidos, thanks for the PR. The change looks good. Can you fix the code-gen CI job? Below should probably fix it

make operator-sdk controller-gen
make generate manifests bundle

@hamidos hamidos force-pushed the master branch 2 times, most recently from 3c7348b to 3fd0dbc Compare August 9, 2024 14:16
@hamidos
Copy link
Contributor Author

hamidos commented Aug 9, 2024

Hello @svghadi , Thank you for your feedback.
I did fix the code-gen CI job, and also added the seccompProfile to the argocd components applicationset, dex, notifications, redis and exporter job .

@svghadi
Copy link
Collaborator

svghadi commented Aug 12, 2024

Awesome. I will run some local tests to see if any other deployment needs seccompProfile.

This was referenced Aug 19, 2024
Open
Open
@svghadi
Copy link
Collaborator

svghadi commented Aug 25, 2024

Ran some tests, the change looks good. We are still missing securityContext for keycloak deployment, can we handle that in this PR?

$ kubectl label --overwrite --dry-run=server ns test pod-security.kubernetes.io/enforce=restricted
Warning: existing pods in namespace "test" violate the new PodSecurity enforce level "restricted:latest"
Warning: keycloak-6b8bbb786d-zrssz: allowPrivilegeEscalation != false, unrestricted capabilities, runAsNonRoot != true, seccompProfile
namespace/test labeled (server dry run)

The changes will probably need to be made in 2 places for keycloak:

@hamidos
fix: add missing seccompProfile to comply with restricted policy
32a8e5a 
Signed-off-by: hamidos <ed.hamido@gmail.com>
@hamidos
Copy link
Contributor Author

hamidos commented Aug 27, 2024
edited
Loading

Hello @svghadi,
I've added the security context for keycloak deployment.
It would be a good idea to enable restricted profile in the namespaces while running the E2E KUTTL tests.

@svghadi
Copy link
Collaborator

svghadi commented Aug 28, 2024

Yes, sounds good. However, it seems that KUTTL doesn't support adding labels to the namespaces it automatically creates during tests, which happens for most of our tests. Maybe we could create a new test that manually creates a namespace with the required pod security labels, deploys an ArgoCD CR in it, and then runs the tests.

svghadi
svghadi approved these changes Aug 28, 2024
View reviewed changes
Copy link
Collaborator

@svghadi svghadi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks @hamidos for the contribution.

@svghadi
Add kuttl e2e test
f1a022b 
Signed-off-by: Siddhesh Ghadi <sghadi1203@gmail.com>
@svghadi
Fix kuttl test
5dd8380 
Signed-off-by: Siddhesh Ghadi <sghadi1203@gmail.com>
@svghadi svghadi mentioned this pull request Aug 29, 2024
Merged
4 tasks
@svghadi svghadi merged commit e3bb558 into argoproj-labs:master Aug 29, 2024
7 checks passed
@svghadi svghadi mentioned this pull request Sep 2, 2024
Merged
saumeya pushed a commit to saumeya/argocd-operator that referenced this pull request Sep 4, 2024
@hamidos @svghadi @saumeya
fix: add missing seccompProfile to comply with restricted policy (arg…
420f266 
…oproj-labs#1493)

* fix: add missing seccompProfile to comply with restricted policy

Signed-off-by: hamidos <ed.hamido@gmail.com>

* Add kuttl e2e test

Signed-off-by: Siddhesh Ghadi <sghadi1203@gmail.com>

* Fix kuttl test

Signed-off-by: Siddhesh Ghadi <sghadi1203@gmail.com>

---------

Signed-off-by: hamidos <ed.hamido@gmail.com>
Signed-off-by: Siddhesh Ghadi <sghadi1203@gmail.com>
Co-authored-by: Siddhesh Ghadi <sghadi1203@gmail.com>
saumeya pushed a commit to saumeya/argocd-operator that referenced this pull request Sep 4, 2024
@hamidos @svghadi @saumeya
fix: add missing seccompProfile to comply with restricted policy (arg…
94ee4e2 
…oproj-labs#1493)

* fix: add missing seccompProfile to comply with restricted policy

Signed-off-by: hamidos <ed.hamido@gmail.com>

* Add kuttl e2e test

Signed-off-by: Siddhesh Ghadi <sghadi1203@gmail.com>

* Fix kuttl test

Signed-off-by: Siddhesh Ghadi <sghadi1203@gmail.com>

---------

Signed-off-by: hamidos <ed.hamido@gmail.com>
Signed-off-by: Siddhesh Ghadi <sghadi1203@gmail.com>
Co-authored-by: Siddhesh Ghadi <sghadi1203@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@svghadi svghadi svghadi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hamidos @svghadi