[chart/redis-ha][REQUEST] Migrate from Pod Security Policy to SecurityContext

DandyDeveloper / charts

Various helm charts migrated from [helm/stable] due to deprecation

https://dandydeveloper.github.io/charts

Apache License 2.0

157 stars 145 forks source link

[chart/redis-ha][REQUEST] Migrate from Pod Security Policy to SecurityContext #204

Closed pierluigilenoci closed 2 years ago

pierluigilenoci commented 2 years ago

Is your feature request related to a problem? Please describe.

Pod Security Policies are deprecated and will be removed in Kubernetes v1.25.

Migration to another alternative is necessary. To date there are some alternative solutions:

Describe the solution you'd like

A solution that is ecumenical and covers all the aforementioned alternatives is the use of Security Context directly in the manifest of the chart.

This change must involve both ha-server and ha-proxy.

Describe alternatives you've considered

A possible solution would be to implement all the major alternatives within the chart but it is certainly a more onerous job.

Additional context

Related to #29

joebowbeer commented 2 years ago

kyverno-cli provides a convenient way to check the manifests statically.

The following command reports 7 violations of the PSS restricted profile policies:

kustomize build https://github.com/kyverno/policies//pod-security | \
  kyverno apply -r \
  <(helm template --repo https://dandydeveloper.github.io/charts redis-ha) \
  -

Relates to https://github.com/haproxytech/helm-charts/issues/150

pierluigilenoci commented 2 years ago

@lord-kyron @DandyDeveloper can you please take a look?

DandyDeveloper commented 2 years ago

On it hopefully today or tomorrow. Sorry, this wasn't on my radar originally.

@joebowbeer @pierluigilenoci

lord-kyron commented 2 years ago

@DandyDeveloper are you going to look into this? Kubernetes 1.25 is close and if this is going to be deprecated, it will become a real problem.

DandyDeveloper commented 2 years ago

Yes, unfortunately just been busy and it's a holiday in Japan right now.

pierluigilenoci commented 2 years ago

@DandyDeveloper any news about this?

DandyDeveloper commented 2 years ago

@joebowbeer @pierluigilenoci I'm on this now, I will need to step away and deal with it in the morning.

I'm currently using kyverno based on the pod-security policy. This all seems very sensible, I'm just working through and making sure the templating is accurate and working as intending.

DandyDeveloper commented 2 years ago

@joebowbeer @pierluigilenoci Please take a look at the PR, I need a couple pair of eyes to confirm this looks good.