Helm charts:: Security Contexts#6125
Conversation
pasindutennage-da
requested review from
isegall-da,
martinflorian-da and
moritzkiefer-da
moritzkiefer-da
left a comment
moritzkiefer-da
left a comment
There was a problem hiding this comment.
The change itself looks fairly reasonable. But there is a very large number of configuration flags on security contexts and security contexts on various levels. They did mention this explicitly but their message sounds fairly ambigous and they may just have used this an example. Can we check with them what they expect?
|
I think there are two parts here:
For 1. we need some research; did we do that somewhere? For 2. I'm not sure if this PR goes in the right direction. Why not just allow overriding the |
There was a problem hiding this comment.
Can we use something other than docs? We know the docs are going away soon
I agree with your point. We can let one override What I would do is; define |
I wouldn't try to enforce this in the schema. Trying to figure out all the various options that may be safe is a lost cause and some options may be safe in some usecase but not others. Just set the ones that are always valid by default and let people overwrite with whatever they want. |
|
Totally agree with @moritzkiefer-da ; for the defaults it's IMO fine enough if we ensure validity via our cluster testing. For everything else - up to the users to pick the right strings. If they want to override this it's reasonable to assume they have some idea what they are doing. |
|
@martinflorian-da @moritzkiefer-da I will allow overriding the containerSecurityContext field, so users can put whatever they want. We will set a few defaults that won't break our deployments. Full list of securitycontext: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.36/#securitycontext-v1-core Defaults
Testing I will update the tests to verify both the default state (no overrides) and the arbitrary overrides. Just extending my current 2 test per chart strcuture. To define these default securitycontext, we can either put them in |
|
any reason not to set something like and maybe switch to explicit capabilities whitelists? it seems like
I think I prefer values-templates. Then you also get automatic merging with user-supplied values. Note that there is also both a pod and a container security context. I think we want to set both. |
|
@moritzkiefer-da @martinflorian-da I made the changes for The remaining work is to just duplicate this across all helm charts, and I will do it next. |
moritzkiefer-da
left a comment
moritzkiefer-da
left a comment
There was a problem hiding this comment.
thx, it looks good in configurability, the big question ofc is if it really works so definitely make sure to test this
pasindutennage-da
force-pushed
the
pasindutennage-da/fix/5825
branch
from
8572f64 to
0ac0cb3
Compare
[ci] Signed-off-by: pasindutennage-da <pasindu.tennage@digitalasset.com> Signed-off-by: Pasindu Tennage <pasindu.tennage@digitalasset.com>
4 participants
Fix https://github.com/DACH-NY/canton-network-internal/issues/5825