Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: make zarf-agent pods comply with offical restricted pod security standard #3036

Merged
merged 14 commits into from
Nov 1, 2024

Conversation

Ansible-man
Copy link
Contributor

Comply with k8s restricted pod security standard

Description

Adds security context to zarf-agent to ensure compliance with Kubernetes restricted pod security standard used in high security environments.
...

Related Issue

Fixes #2932

Relates to #

Checklist before merging

@Ansible-man Ansible-man requested review from a team as code owners September 26, 2024 03:08
Copy link

netlify bot commented Sep 26, 2024

Deploy Preview for zarf-docs canceled.

Name Link
🔨 Latest commit 3c45873
🔍 Latest deploy log https://app.netlify.com/sites/zarf-docs/deploys/672454deb5820f00089992f5

@Ansible-man
Copy link
Contributor Author

Made an non-impactful change to fix my commit not being verified as seen in commit #2

@AustinAbro321
Copy link
Contributor

@Ansible-man thanks for making this. Could you also fix the dco error by following these instructions

Copy link

codecov bot commented Sep 26, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

see 39 files with indirect coverage changes

@AustinAbro321 AustinAbro321 changed the title Add security context to zarf-agent in order to comply with offical re… feat: add security context to zarf-agent in order to comply with offical restricted pod security standard Sep 26, 2024
@AustinAbro321 AustinAbro321 changed the title feat: add security context to zarf-agent in order to comply with offical restricted pod security standard feat: make zarf-agent pods comply with offical restricted pod security standard Sep 26, 2024
AustinAbro321
AustinAbro321 previously approved these changes Sep 26, 2024
@Ansible-man
Copy link
Contributor Author

@AustinAbro321 I should be able to do that tomorrow at some point. Thank you and happy to help where I can!

@Miaoxiang-philips
Copy link
Contributor

@AustinAbro321 I should be able to do that tomorrow at some point. Thank you and happy to help where I can!

Hi @AustinAbro321 It seems that the DCO problem has not been solved, do you need help?

@Ansible-man
Copy link
Contributor Author

Ansible-man commented Oct 10, 2024 via email

@phillebaba
Copy link
Member

@Ansible-man could you resolve DCO?

@phillebaba
Copy link
Member

Part of #2757

@Miaoxiang-philips
Copy link
Contributor

Miaoxiang-philips commented Oct 12, 2024

Is there still something I need to do here?

@Ansible-man You can follow the prompts to execute the commands

image

@schristoff
Copy link
Contributor

Hey @Ansible-man - we really appreciate this PR. If you could follow the steps outlined above we can get this merged. If you're unable to do that within the next week, we will have to close this and merge this with a signed DCO under someone else.

Thanks!

@Ansible-man
Copy link
Contributor Author

Ansible-man commented Oct 18, 2024 via email

Cade Thomas and others added 3 commits October 19, 2024 00:50
…stricted PSS

Signed-off-by: Cade Thomas <cadethomas23@gmail.com>
…stricted PSS

Signed-off-by: Cade Thomas <cadethomas23@gmail.com>
Signed-off-by: schristoff <28318173+schristoff@users.noreply.github.com>
Signed-off-by: Cade Thomas <cadethomas23@gmail.com>
@Ansible-man
Copy link
Contributor Author

Sorry that took so long @schristoff . I just got around to reading everything. If that did not fix it let me know and I will get right back on it. Looking forward to helping out more in the future

@phillebaba
Copy link
Member

@Ansible-man could you rebase?

@Ansible-man
Copy link
Contributor Author

Ansible-man commented Oct 22, 2024 via email

@phillebaba
Copy link
Member

@Ansible-man there is a conflict with a change done in main which needs to be resolved before we can merge.

@Ansible-man
Copy link
Contributor Author

Ansible-man commented Oct 23, 2024 via email

@Ansible-man
Copy link
Contributor Author

Let me know if that resolved it

@@ -61,6 +61,8 @@ func TestECRPublishing(t *testing.T) {
// Ensure we get a warning when trying to inspect the online published package
stdOut, stdErr, err = e2e.Zarf(t, "package", "inspect", upstreamPackageURL, keyFlag, "--sbom-out", tmpDir, "--skip-signature-validation")
require.NoError(t, err, stdOut, stdErr)
require.Contains(t, stdErr, "Validating SBOM checksums")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this being added to the test? Can we remove this.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I will rebase again and remove it. Not sure how it got in there.

AustinAbro321 and others added 10 commits October 25, 2024 07:18
…1.20.5 (zarf-dev#3143)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Cade Thomas <cadethomas23@gmail.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Cade Thomas <cadethomas23@gmail.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Cade Thomas <cadethomas23@gmail.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Cade Thomas <cadethomas23@gmail.com>
zarf-dev#3144)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Cade Thomas <cadethomas23@gmail.com>
Signed-off-by: Cade Thomas <cadethomas23@gmail.com>
Signed-off-by: Cade Thomas <cadethomas23@gmail.com>
Signed-off-by: Cade Thomas <cadethomas23@gmail.com>
@Ansible-man
Copy link
Contributor Author

5th time a charm?

@phillebaba phillebaba added this pull request to the merge queue Nov 1, 2024
Merged via the queue into zarf-dev:main with commit 785feeb Nov 1, 2024
26 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Zarf overwrites namespace labels required when deploying to env with restricted pod security standard
5 participants