Terraform turnup automation for the EKS Kubernetes clusters that host GOV.UK. See https://github.com/alphagov/govuk-helm-charts for application config.
MIT License
145
stars
25
forks
source link
Enforce Argo Workflow pods to be compliant with PSS restricted #1508
Each step in a Workflow creates a (i) init, (ii) main and a (iii) wait container. By default the Workflow pods for each step run as root.
The default executor for Argo Workflows is emissary which configures the customization for the init and wait containers. The Helm values for the executor are found here
Since emissary according to [this commit]() mounts an emptyDir in all containers this allows us to set readOnlyRootFileSystem
Lock down the securityContext and podSecurityContext to ensure compliance with PSS restricted. Note that securityContext under workflowDefaults is really podSecurityContext
Description:
initandwaitcontainers. The Helm values for the executor are found hereemptyDirin all containers this allows us to setreadOnlyRootFileSystemsecurityContextandpodSecurityContextto ensure compliance with PSS restricted. Note thatsecurityContextunderworkflowDefaultsis reallypodSecurityContext