search

vmware-tanzu-labs / educates-training-platform

A platform for hosting interactive workshop environments in Kubernetes, or on top of a local container runtime.
https://docs.educates.dev
Apache License 2.0
72 stars 18 forks source link

Support cluster default pod security standards. #585

Open GrahamDumpleton opened 3 days ago

GrahamDumpleton commented 3 days ago

Is your feature request related to a problem? Please describe.

Some Kubernetes clusters are configured to apply a default pod security standards for any namespaces created. This can be a problem when using Educates to install contour as depending on configuration it can fail as a result.

 message: '(combined from similar events): Error creating: pods "envoy-qqlnh" is forbidden:
   violates PodSecurity "baseline:latest": hostPort (container "envoy" uses hostPorts
   443, 80)'

To deal with this the projectcontour namespace would need to have labels:

     pod-security.kubernetes.io/audit: privileged 
     pod-security.kubernetes.io/enforce: privileged
     pod-security.kubernetes.io/warn: privileged

Describe the solution you'd like

Look at way of applying these labels automatically, either always, or as an option.

Right now no choice but to disable default pod security standards for the cluster as a whole.

Describe alternatives you've considered

No response

Additional information

No response

GrahamDumpleton commented 3 days ago

Note that may need to also look at how such a default pod security standard may apply to workshop sessions when Kyverno is used as cluster security policy engine. Although, if there is a default cluster pod security standard applied, may be forced to deploy Educates using pod security standards for cluster security instead of Kyverno, with Kyverno only used to workshop/session security.

GrahamDumpleton commented 3 days ago

For Contour case, need to see if hostPorts was needed in this case as was using LoadBalancer, so may not have.