Closed Cellebyte closed 3 years ago
Hardcoding a uid for runAsUser
is not an option for us, as this will block Flux on OpenShift and other distributions that are allocating a UID range. Kyverno should be installed by Flux so I see no issues here, you can exclude the flux-system namespace from Kyverno policies or follow the PsP guide here: https://fluxcd.io/docs/installation/#pod-security-policy
@stefanprodan so it will not be patched into the plane manifests but should be patched by ourselves. Thanks for the clarification.
Examples containerSecurity which could be implemented.
Should that be a standard implementation in the release manifests from fluxctl?
Examples podSecurity
Currently is uses the standard allow everything policy which is not great and also breaks the securityPolicies of our cluster. The best way would be to have it upstream to ensure that it is correctly implemented. We can patch it on our own but if greater changes happen to how flux gets deployed it will brick.
Originally posted by @Cellebyte in https://github.com/fluxcd/flux2/discussions/1483