Roll out PSS Restricted profile. #1883
Assignees
Labels
k8s
Kubernetes
Comments
This was
linked to
pull requests
Mar 4, 2024
|
Ah nuts, auto-closed this by mistake somehow or other. |
|
It's not rolled out until we're in enforcement mode. Should be mostly just trivial template fixes, plus the not-so-trivial NFS question. |
This was referenced May 1, 2024
This was
unlinked from
pull requests
May 1, 2024
nimalank7
added a commit
that referenced
this issue
Sep 25, 2024
Description: - Enforce initContainers to be compliant when PSS is set to restricted - As part of #1883
MahmudH
pushed a commit
that referenced
this issue
Sep 26, 2024
Description: - Enforce initContainers to be compliant when PSS is set to restricted - As part of #1883
MahmudH
pushed a commit
that referenced
this issue
Sep 26, 2024
Description: - Enforce initContainers to be compliant when PSS is set to restricted - As part of #1883
MahmudH
pushed a commit
that referenced
this issue
Sep 26, 2024
Description: - Enforce initContainers to be compliant when PSS is set to restricted - As part of #1883
MahmudH
pushed a commit
that referenced
this issue
Sep 26, 2024
Description: - Enforce initContainers to be compliant when PSS is set to restricted - As part of #1883
nimalank7
added a commit
that referenced
this issue
Sep 27, 2024
Description: - Enforce initContainers to be compliant when PSS is set to restricted - As part of #1883
nimalank7
added a commit
that referenced
this issue
Oct 2, 2024
Description: - Enforce initContainers to be compliant when PSS is set to restricted - As part of #1883
nimalank7
added a commit
that referenced
this issue
Oct 2, 2024
Description: - Enforce initContainers to be compliant when PSS is set to restricted - As part of #1883
nimalank7
added a commit
that referenced
this issue
Oct 2, 2024
Description: - Enforce initContainers in the `app` namespace to be compliant when PSS is set to (restricted)[https://kubernetes.io/docs/concepts/security/pod-security-standards/] - Tested in integration and observed that `content-data-admin` initContainers were starting properly - `govuk-mirror-sync-cronjob` can't be tested in integration as this has no mirrors so the PR will have to be merged and we will have to manually inspect staging ot see if it succeeds. - As part of #1883 - Paired with @MahmudH
nimalank7
added a commit
that referenced
this issue
Oct 3, 2024
Description: - Enforce initContainers in the `app` namespace to be compliant when PSS is set to [restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/) - Tested in integration and observed that `content-data-admin` initContainers were starting properly - `govuk-mirror-sync-cronjob` can't be tested in integration as this has no mirrors so the PR will have to be merged and we will have to manually inspect staging ot see if it succeeds. - As part of #1883 - Paired with @MahmudH
nimalank7
added a commit
that referenced
this issue
Oct 4, 2024
Description: - Enforce initContainers in the `app` namespace to be compliant when PSS is set to [restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/) - Tested in integration and observed that `content-data-admin` initContainers were starting properly - `govuk-mirror-sync-cronjob` can't be tested in integration as this has no mirrors so the PR will have to be merged and we will have to manually inspect staging ot see if it succeeds. - As part of #1883 - Paired with @MahmudH
nimalank7
added a commit
that referenced
this issue
Oct 4, 2024
Description: - Enforces this container to be compliant when PSS is set to [restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/) - As part of #1883
nimalank7
added a commit
to alphagov/govuk-infrastructure
that referenced
this issue
Jan 14, 2025
Description: - Argo Bootstrap chart has been incremented in alphagov/govuk-helm-charts#2897 - As part of alphagov/govuk-helm-charts#1883
This was referenced Jan 15, 2025
nimalank7
added a commit
that referenced
this issue
Jan 16, 2025
… PSS restricted Description: - PSS restricted doesn't allow volume types of `nfs`(see [here](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted)) but does allow `PersistentVolume` - Refactor the NFS volume to use a `PersistentVolume` of type NFS - Both `asset-manager` and `licensify` use `clamav` export in NFS. However there is a 1-1 relationship between `PersistentVolume` and `PersistentVolumeClaim` so there needs to be multiple `PersistentVolume`s to export the same directory to multiple applications. Hence the name is `licensify-clamav-db`. - As part of #1883
nimalank7
added a commit
that referenced
this issue
Jan 16, 2025
… PSS restricted Description: - PSS restricted doesn't allow volume types of `nfs`(see [here](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted)) but does allow `PersistentVolume` - Refactor the NFS volume to use a `PersistentVolume` of type NFS - Both `asset-manager` and `licensify` use `clamav` export in NFS. However there is a 1-1 relationship between `PersistentVolume` and `PersistentVolumeClaim` so there needs to be multiple `PersistentVolume`s to export the same directory to multiple applications. Hence the name is `licensify-clamav-db`. - As part of #1883
nimalank7
added a commit
to alphagov/govuk-infrastructure
that referenced
this issue
Jan 16, 2025
Description: - Currently the `licensify` namespace is created through ArgoCD [here](https://github.com/alphagov/govuk-helm-charts/blob/124ad9cfa5a25916d843838aa096dc0a5ab3f780/charts/app-config/templates/govuk-application.yaml#L61) - However in the case of the `apps` namespace the annotations set are managed by Terraform [here](https://github.com/alphagov/govuk-infrastructure/blob/00d22761c5d9e8cfde4dd517dd459ded54a87f37/terraform/deployments/cluster-services/argo.tf#L26). The [ArgoCD docs](https://argo-cd.readthedocs.io/en/stable/user-guide/sync-options/#namespace-metadata) mentions that if we have another manifest file for the same namespace the data in ArgoCD will be overwritten. Currently this isn't an issue but it makes sense to have a single entity managing things. It's easier to have the `licensify` namespace in Terraform as we currently have for `apps` and `datagovuk` - As part of alphagov/govuk-helm-charts#1883
nimalank7
added a commit
that referenced
this issue
Jan 16, 2025
- Licensify namespace is now managed by Terraform in alphagov/govuk-infrastructure#1571 - As part of #1883
nimalank7
added a commit
to alphagov/govuk-infrastructure
that referenced
this issue
Jan 16, 2025
Description: - Licensify is currently managed by Terraform in #1571 so import is no longer needed - As part of alphagov/govuk-helm-charts#1883
nimalank7
added a commit
to alphagov/govuk-infrastructure
that referenced
this issue
Jan 16, 2025
Description: - Enforce PSS to restricted on Licensify - As part of alphagov/govuk-helm-charts#1883
nimalank7
added a commit
that referenced
this issue
Jan 17, 2025
… PSS restricted Description: - PSS restricted doesn't allow volume types of `nfs` (see [here](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted)) but does allow us to use a `PersistentVolume` of type NFS - Add some additional annotations onto Licensify `PersistentVolume` and `PersistentVolumeClaim` - As part of #1883
nimalank7
added a commit
that referenced
this issue
Jan 17, 2025
… PSS restricted Description: - PSS restricted doesn't allow volume types of `nfs` (see [here](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted)) but does allow us to use a `PersistentVolume` of type NFS - Add some additional annotations onto Licensify `PersistentVolume` and `PersistentVolumeClaim` - As part of #1883
nimalank7
added a commit
that referenced
this issue
Jan 17, 2025
… PSS restricted Description: - PSS restricted doesn't allow volume types of `nfs` (see [here](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted)) but does allow us to use a `PersistentVolume` of type NFS - Add some additional annotations onto Licensify `PersistentVolume` and `PersistentVolumeClaim` - As part of #1883
nimalank7
added a commit
that referenced
this issue
Jan 17, 2025
… PSS restricted Description: - PSS restricted doesn't allow volume types of `nfs` (see [here](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted)) but does allow us to use a `PersistentVolume` of type NFS - Add some additional annotations onto Licensify `PersistentVolume` and `PersistentVolumeClaim` - Remove `namespace` value from Licensify as Terraform now manages namespace configuration - As part of #1883
nimalank7
added a commit
that referenced
this issue
Jan 17, 2025
Description: - Licensify is now managed in Terraform alphagov/govuk-infrastructure#1571 - Add a few labels to volumes - As part of #1883
nimalank7
added a commit
that referenced
this issue
Jan 17, 2025
Description: - Licensify is now managed in Terraform alphagov/govuk-infrastructure#1571 - Add a few labels to volumes - As part of #1883
nimalank7
added a commit
that referenced
this issue
Jan 17, 2025
… PSS restricted Description: - PSS restricted doesn't allow volume types of `nfs` (see [here](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted)) but does allow us to use a `PersistentVolume` of type NFS - As part of #1883
nimalank7
added a commit
that referenced
this issue
Jan 17, 2025
… PSS restricted Description: - PSS restricted doesn't allow volume types of `nfs` (see [here](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted)) but does allow us to use a `PersistentVolume` of type NFS - As part of #1883
nimalank7
added a commit
that referenced
this issue
Jan 17, 2025
… PSS restricted Description: - PSS restricted doesn't allow volume types of `nfs` (see [here](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted)) but does allow us to use a `PersistentVolume` of type NFS - As part of #1883
nimalank7
added a commit
that referenced
this issue
Jan 17, 2025
… PSS restricted Description: - PSS restricted doesn't allow volume types of `nfs` (see [here](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted)) but does allow us to use a `PersistentVolume` of type NFS - As part of #1883
nimalank7
added a commit
that referenced
this issue
Jan 17, 2025
… PSS restricted Description: - PSS restricted doesn't allow volume types of `nfs` (see [here](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted)) but does allow us to use a `PersistentVolume` of type NFS - As part of #1883
nimalank7
added a commit
that referenced
this issue
Jan 17, 2025
… PSS restricted Description: - PSS restricted doesn't allow volume types of `nfs` (see [here](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted)) but does allow us to use a `PersistentVolume` of type NFS - As part of #1883
nimalank7
added a commit
that referenced
this issue
Jan 17, 2025
… PSS restricted Description: - PSS restricted doesn't allow volume types of `nfs` (see [here](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted)) but does allow us to use a `PersistentVolume` of type NFS - As part of #1883
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We currently enforce the PSS baseline profile.
We want tighten that up to Restricted where possible (e.g.
appsnamespace), so that we don't have to worry about regressions in container permissions — i.e. application containers unintentionally/unnecessarily being granted system privileges in future.In other words, this:
We still have a couple of NFS clients (e.g. asset-manager), so we might need to work around that temporarily and/or pay down that tech debt and switch them to S3.
The text was updated successfully, but these errors were encountered: