Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(scorecard): add psa labels for scorecard namespace #621

Merged
merged 2 commits into from
Sep 12, 2023

Conversation

tthvo
Copy link
Member

@tthvo tthvo commented Sep 8, 2023

Welcome to Cryostat! 👋

Before contributing, make sure you have:

  • Read the contributing guidelines
  • Linked a relevant issue which this PR resolves
  • Linked any other relevant issues, PR's, or documentation, if any
  • Resolved all conflicts, if any
  • Rebased your branch PR on top of the latest upstream main branch
  • Attached at least one of the following labels to the PR: [chore, ci, docs, feat, fix, test]
  • Signed all commits: git commit -S -m "YOUR_COMMIT_MESSAGE"

Related to #450

Description of the change:

Label namespace to warn and audit violations to restricted standards. This is similar to SCC on OpenShift 4.11 or 4.12 (if I remember correctly).

Ideally, we would want to set enforcing mode but there is an issue with the bundle pod (ie. runAsNonRoot is not true) - See below.

Motivation for the change:

Scorecard pods are run with security contexts conforming to restricted standards.

operator-sdk scorecard -n $(SCORECARD_NAMESPACE) -s cryostat-scorecard -w 20m $(BUNDLE_IMG) --pod-security=restricted

However, scorecard namespace is not labelled to enforce such restricted policy.

@tthvo tthvo added feat New feature or request test labels Sep 8, 2023
@tthvo
Copy link
Member Author

tthvo commented Sep 8, 2023

This is mainly for running on k8s clusters (i.e OCP should already have SCC). I could not use enforce restricted mode due to:

INFO[0008] Creating a File-Based Catalog of the bundle "quay.io/cryostat/cryostat-operator-bundle:2.4.0-dev" 
INFO[0009] Generated a valid File-Based Catalog         
FATA[0009] Failed to run bundle: create catalog: error creating registry pod: error creating pod: pods "quay-io-cryostat-cryostat-operator-bundle-2-4-0-dev" is forbidden: violates PodSecurity "restricted:latest": runAsNonRoot != true (pod or container "registry-grpc" must set securityContext.runAsNonRoot=true) 

Issue: operator-framework/operator-sdk#6430

Copy link
Member

@ebaron ebaron left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @tthvo! Thanks for doing this, great idea! Just one small nit.

Makefile Outdated Show resolved Hide resolved
Copy link
Member

@ebaron ebaron left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Thanks again @tthvo!

@ebaron ebaron merged commit 788f71f into cryostatio:main Sep 12, 2023
14 checks passed
@tthvo tthvo deleted the scorecard-ns branch September 12, 2023 19:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feat New feature or request safe-to-test test
Projects
No open projects
Status: Done
Development

Successfully merging this pull request may close these issues.

2 participants