Open collivier opened 1 month ago
For ease of review:
TLDR: add PodSecurity: restricted as ClusterConfiguration to cluster.yml in github actions.
This PR creates file /tmp/pss/cluster-level-pss.yaml with contents:
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
configuration:
apiVersion: pod-security.admission.config.k8s.io/v1
kind: PodSecurityConfiguration
defaults:
enforce: "restricted"
enforce-version: "latest"
audit: "restricted"
audit-version: "latest"
warn: "restricted"
warn-version: "latest"
exemptions:
usernames: []
runtimeClasses: []
namespaces:
- kube-system
- local-path-storage
Then, during "Mirror setup", "sysctls specs kind config override" and "Mirror override" steps - it modifies the creation of cluster.yml: file cluster-level-pss.yaml is mounted as extra mount and used as ClusterConfiguration.
Also, image: kindest/node:v1.29.2@sha256:51a1434a5397193442f0be2a297b488b6c919ce8a3931be0ce822606ea5ca245
lines are removed from cluster.yml, intentions for which are not very clear.
Also,
image: kindest/node:v1.29.2@sha256:51a1434a5397193442f0be2a297b488b6c919ce8a3931be0ce822606ea5ca245
lines are removed from cluster.yml, intentions for which are not very clear.
It was discussed in the previous PR that double (image) pinning was useless as kind is already pinned. this will be precised in a second pending commit
I don't have too much experience with Kubernetes and Helm and trying to review changes like this is new for me. Sorry if some of the questions are obvious or aren't making much sense.
It was discussed in the previous PR that double (image) pinning was useless as kind is already pinned. this will be precised in a second pending commit
Couldn't find the discussion, can you link it please?
Description
https://kubernetes.io/docs/tutorials/security/cluster-level-pss/
Issues:
close: #1887
How has this been tested: