-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Exercise our PodSecurityPolicy on CI #2792
Comments
For reference, how you turn on an admission controller is here PodSecurityPolicy in k8s docs: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podsecuritypolicy |
Stale issues rot after 30d of inactivity. /lifecycle rotten Send feedback to tektoncd/plumbing. |
Rotten issues close after 30d of inactivity. /close Send feedback to tektoncd/plumbing. |
@tekton-robot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/remove-lifecycle rotten |
@vdemeester: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Issues go stale after 90d of inactivity. /lifecycle stale Send feedback to tektoncd/plumbing. |
Putting this in the "frozen" box as I really think we should exercise it, at least on a nightly. /remove-lifecycle stale |
/lifecycle frozen |
Given #4112 should we close this one? |
@sbwsg yes I would think so 👍🏼 |
/close |
@sbwsg: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
We define a
PodSecurityPolicy
in ourconfig/
. But thisPodSecurityPolicy
is never exercised on the CI as it is not enabled by default, for the following reason:This means we do not know if the
PodSecurityPolicy
is correctly setup and works as we expect (and/or as our user expects if they enable it on their cluster).We can do the following:
Keep the
PodSecurityPolicy
inconfig/
but then, we need to exercise it on our test infrastructure (at least for some tests).See Using PodSecurityPolicies on google cloud to see more in details on how to enable those. As of today, if we enable it, our tests suites should fail as the
PodSecurityPolicy
we define disallow runningprivileged
containers/pods, and, well, we do use some during our test suites 🙃.Move the
PodSecurityPolicy
in acontrib/
folder, discussing what it is, what it does, how to use it. (here is why I say acontrib/
folder btw 😉)/area testing
/area test-infra
/kind feature
/cc @bobcatfish @afrittoli @gabemontero
The text was updated successfully, but these errors were encountered: