-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove bootstrapping of namespaces by integrating them into the helmfile workflow #1881
Conversation
287fdeb
to
6b3a55d
Compare
I thought it was worth mentioning because it popped up in my head when reading the title: |
Good point. So, the helm resource policy ATM, the keep resource policy has only been set on the |
078e504
to
b2a7e19
Compare
cfdbf37
to
b87dcc9
Compare
@@ -1,7 +1,17 @@ | |||
validatingWebhookFailurePolicy: Fail | |||
validatingWebhookTimeoutSeconds: {{ .Values.opa.validatingWebhookTimeoutSeconds }} | |||
validatingWebhookExemptNamespacesLabels: | |||
kubernetes.io/metadata.name: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It shouldn't be possible to modify this label of a namespace, so customers shouldn't be able to abuse it.
helmfile/charts/gatekeeper/constraints/templates/disallow-tag/constraint.yaml
Outdated
Show resolved
Hide resolved
5550e38
to
fb34e7c
Compare
fb34e7c
to
c5c78f3
Compare
labels: | ||
pod-security.kubernetes.io/audit: privileged | ||
pod-security.kubernetes.io/enforce: privileged | ||
pod-security.kubernetes.io/warn: privileged |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Noticied that we didn't set any psa labels on the falco namespace here which I assume that we want to do.
80a465a
to
c5fead4
Compare
c5fead4
to
90b1740
Compare
Still doing some testing but feel free to take a look |
441b86f
to
e8dcbc3
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
f73b829
to
9eede30
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, but I have not tested it.
Just one minor thing.
c0800f6
to
7c3ab86
Compare
ddf1b7d
to
204c1c7
Compare
This commit removes the bootstrap step used to install namespaces in a cluster. The step has been integrated into the new helmfile setup and namespaces are now managed by helm. Two new releases are added: "admin-namespaces" and "dev-namespaces", the latter of which is only relevant for wc clusters and it only includes the "alertmanager" namespace as of now. The "admin-namespace" includes all admin namespaces execpt for the "kube-*" namespaces. The "kube-*" namespaces are not managed by helm nor do they get any PSA or "owner=operator" labels set. Furthermore those namespaces are exempted from the OPA-Gatekeeper validating and mutating webhooks! Note, namespaces are not removed by Helm! If you destroy the namespace releases the namespace resources will be left behind. Furthermore, this commits sets the restricted PSA labels on the "thanos" namespace and the privileged PSA labels on the "falco" and "opensearch-system" namespaces. In order set the restricted labels on the "thanos" namespace, seccomp profile and drop all capabilities is set on the thanos components.
204c1c7
to
482debc
Compare
Warning
This is public repository, ensure not to disclose:
What kind of PR is this?
Required: Mark one of the following that is applicable:
Optional: Mark one or more of the following that are applicable:
Important
Breaking changes should be marked
kind/admin-change
orkind/dev-change
depending on typeCritical security fixes should be marked with
kind/security
What does this PR do / why do we need this PR?
This PR removes the bootstrap step used to install namespaces in a
cluster. The step has been integrated into the new helmfile setup and
namespaces are now managed by helm.
Two new releases are added: "admin-namespaces" and
"dev-namespaces", the latter of which is only relevant for wc clusters
and it only includes the "alertmanager" namespace as of now. The
"admin-namespace" includes all admin namespaces execpt for the "kube-"
namespaces. The "kube-" namespaces are not managed by helm nor do they
get any PSA or "owner=operator" labels set. Furthermore those namespaces
are exempted from the OPA-Gatekeeper validating and mutating webhooks!
Note, namespaces are not removed by Helm! If you destroy the
namespace releases the namespace resources will be left behind.
Furthermore, this PR sets the restricted PSA labels on the "thanos"
namespace and the privileged PSA labels on the "falco" namespace in SC.
In order set the restricted labels on the "thanos" namespace, seccomp
profile and drop all capabilities is set on the thanos components.
Additional information to reviewers
Screenshots
Checklist
NetworkPolicy Dashboard