pss: Make compliant with restricted pss by default#1874
Conversation
marcofranssen
requested review from
EItanya,
ilackarms,
iplay88keys,
jmhbh,
supreme-gg-gg and
yuval-k
as code owners
There was a problem hiding this comment.
Pull request overview
Updates the Helm chart’s default podSecurityContext/securityContext values so kagent deployments are compliant with Kubernetes Pod Security Standards (PSS) restricted by default, allowing users to label namespaces as restricted without additional tuning.
Changes:
- Set
podSecurityContext.seccompProfiletoRuntimeDefault. - Harden default container
securityContextby disabling privilege escalation, dropping all Linux capabilities, and settingseccompProfiletoRuntimeDefault.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
marcofranssen
force-pushed
the
fix-pss-compliant-restricted
branch
7 times, most recently
from
beb465d to
896811a
Compare
|
Added tests to cover for podSecurityContext and extended setting the right context for grafana-mcp and querydoc workloads. This way the entire chart is deployable in a restricted namespace by default and ensure the most stric security settings out of the box. |
marcofranssen
force-pushed
the
fix-pss-compliant-restricted
branch
from
896811a to
1535b7a
Compare
EItanya
left a comment
EItanya
left a comment
There was a problem hiding this comment.
I agree overall with ensuring stricter security by default, but it looks like the e2e tests are failing for some reason.
Also, I'm curious how these new security policies will interact with skills sandboxes
| - equal: | ||
| path: spec.template.spec.containers[0].securityContext.seccompProfile.type | ||
| value: RuntimeDefault | ||
| - isNull: |
There was a problem hiding this comment.
because it is set at the entire Pod level, which applies it already to all containers in that pod. meaning it would not show up as a separate container context setting.
I guess not affected at all. I mean, even a skill sandbox shouldn't need any OS specific access. Which is basically what this security context guards against. even a skill sandbox you would want it to run in the container, not give it root access on the node, or give it specific net capabilities or things like that. securityCOntext safeguards us from escalating privileges on the node level. |
Signed-off-by: Marco Franssen <marco.franssen@gmail.com>
marcofranssen
force-pushed
the
fix-pss-compliant-restricted
branch
from
1535b7a to
ba7b266
Compare
|
@EItanya I fixed the CI part. |
To ensure security configured the securityContexts to be complianted with the restricted PSS.
This way a user can annotate the namespace as restricted without having to finetune the deployments.