search

sustainable-computing-io / susql-operator

a Kubernetes operator that aggregates energy and CO2 emission data for tagged resources
http://susql.org
Apache License 2.0
9 stars 1 forks source link

Improve pod security #107

Closed trent-s closed 1 month ago

trent-s commented 5 months ago

We see pod security warnings and errors when attempting to deploy SusQL to namespaces with high security settings. The following commands are a sample workaround for a namespace called "testing", but clearly it would be better to provide container images sufficiently secure not to require this.

oc label namespace testing pod-security.kubernetes.io/audit=baseline --overwrite
oc label namespace testing pod-security.kubernetes.io/enforce=baseline --overwrite
oc label namespace testing pod-security.kubernetes.io/warn=baseline --overwrite
trent-s commented 1 month ago

I have delivered various changes which may improve this. Need to test.

trent-s commented 1 month ago

Pod security now universally uses the following settings:

        securityContext:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem : true
          capabilities:
            drop:
              - "ALL"

This enables the susql-operator to also pass strict testing requirements for the Red Hat Operator catalog. Marking this issue closed.