-
Notifications
You must be signed in to change notification settings - Fork 885
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added PSS profile seccompProfile to pods of istio #2787
Conversation
I have tested on cluster for both audit and enforce mode of PSS labels. |
Hello, this must be done automatically via istioctl or istio profiles or kustomize overlays/components, not manually. |
Hi, I'm looking for a method of setting seccompProfile during installation like: istioctl install --set values.global.proxy.seccompProfile.type=RuntimeDefault I haven't encountered anything like it yet; meanwhile, I would set these changes as kustomize component in our contrib/security directory. |
You can add them directly to both istio folders in https://github.com/kubeflow/manifests/blob/master/common/istio-1-22/kubeflow-istio-resources/base/kustomization.yaml as long as this is a static file that is not modified by the synchronization scripts in /hack. |
So, the two patches should be used in |
Should the two patches be used in Yes, this is something we can do directly. Please check whether the kustoization.yaml is static. |
No, this file isn't modified by any scripts or other files. It's just used in workflows and some tests. |
Let's try in general. |
This kustomization doesn't have the required resources for the deployments in our patches as our deployments are part of istio-install/base/install.yaml A better idea I could think of is |
Then lets go with https://github.com/kubeflow/manifests/blob/master/common/istio-1-22/istio-install/base/kustomization.yaml and the same for CNI. |
It looks good so far an will take a closer look soon. |
I have taken a look at the scripts in /hack and the script doesn't touch the istio-install/patches in any way and copies all of its content to newer istio versions. If we face any issue, I would take a look at it right away or run a pre-upgrade from the script anytime. |
Signed-off-by: biswajit-9776 <[email protected]>
Signed-off-by: biswajit-9776 <[email protected]>
Signed-off-by: biswajit-9776 <[email protected]>
Signed-off-by: biswajit-9776 <[email protected]>
Signed-off-by: biswajit-9776 <[email protected]>
Signed-off-by: biswajit-9776 <[email protected]>
53c527d
to
7d3f4c5
Compare
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: juliusvonkohout The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
I have added seccompProfile for both deployments in istii-cni-1-22/istio-install/base/patches in this PR. Do you mean anything else for istio-cni? |
/unhold |
* Added PSS profile seccompProfile to pods of istio Signed-off-by: biswajit-9776 <[email protected]> * Added seccompProfile to istio as kustomize component Signed-off-by: biswajit-9776 <[email protected]> * Undone changes made to istio/base Signed-off-by: biswajit-9776 <[email protected]> * Added seccomp files to common/istio-1-22/kubeflow-istio-resources/ Signed-off-by: biswajit-9776 <[email protected]> * Moved the seccompProfile patches to istio/base/patches Signed-off-by: biswajit-9776 <[email protected]> * Added newline character to a file Signed-off-by: biswajit-9776 <[email protected]> --------- Signed-off-by: biswajit-9776 <[email protected]> Signed-off-by: Patrick Schönthaler <[email protected]>
Pull Request Template for Kubeflow manifests Issues
✏️ A brief description of the changes
📦 List any dependencies that are required for this change
🐛 If this PR is related to an issue, please put the link of the issue here.
✅ Unit Test Checklist
✅ Contributor checklist
DCO
check)cla/google
check)