kvaps
commented
3 years ago Thanks, wouldn't it work with the automountServiceAccountToken: false?
Closed jbanety closed 3 years ago
kvaps
commented
3 years ago Thanks, wouldn't it work with the automountServiceAccountToken: false?
jbanety
commented
3 years ago Nop. We need a service account to assign permissions to access host network, run root containers,... And to enforce security, Lokomotive has a webhook to disable automounting default service account. https://kinvolk.io/docs/lokomotive/0.5/concepts/admission-webhook/
kvaps
commented
3 years ago Got it! Could you also contribute PSP policy itself?
Example manifest from old stable repo https://github.com/helm/charts/blob/2f030a8e9db3e451e8030b12d2658371f5708f7d/stable/elasticsearch/templates/podsecuritypolicy.yaml
jbanety
commented
3 years ago Haha, I have already created static manifests in my Lokomotive component. I still have to define the permissions to apply. Containers are running as root. Can we run them as regular user ?
kvaps
commented
3 years ago Well it's not a problem to run controller and other daemons as unprivileged user. But I'm not sure if it is possible to make satellite daemon running, because it is operating with the LVM, devicemapper, DRBD and ZFS quite hard. I'm worry that specific permissions are required for it.
kvaps
commented
3 years ago Thanks! I'll review and merge this in a while!🤘
jbanety
commented
3 years ago This is a very permissive policy. I did not find time to dig into this.
kvaps
commented
3 years ago I think you don't have to. PSP is going to be deprecated in the next Kubernetes release: https://github.com/kubernetes/kubernetes/pull/97171
jbanety
commented
3 years ago OK. That's enough then.
jbanety
commented
3 years ago Sorry for the mess. This is OK now :roll_eyes:
kvaps
commented
3 years ago merged, thanks!
Lokomotive clusters have PodSecurityPolicy (PSP) enabled by default so I need to apply to satellite containers a permissive PSP.