Roll out PSS Restricted profile. #1883
Assignees
Labels
k8s
Kubernetes
Comments
This was
linked to
pull requests
Mar 4, 2024
|
Ah nuts, auto-closed this by mistake somehow or other. |
|
It's not rolled out until we're in enforcement mode. Should be mostly just trivial template fixes, plus the not-so-trivial NFS question. |
This was referenced May 1, 2024
This was
unlinked from
pull requests
May 1, 2024
nimalank7
added a commit
that referenced
this issue
Sep 25, 2024
Description: - Enforce initContainers to be compliant when PSS is set to restricted - As part of #1883
MahmudH
pushed a commit
that referenced
this issue
Sep 26, 2024
Description: - Enforce initContainers to be compliant when PSS is set to restricted - As part of #1883
MahmudH
pushed a commit
that referenced
this issue
Sep 26, 2024
Description: - Enforce initContainers to be compliant when PSS is set to restricted - As part of #1883
MahmudH
pushed a commit
that referenced
this issue
Sep 26, 2024
Description: - Enforce initContainers to be compliant when PSS is set to restricted - As part of #1883
MahmudH
pushed a commit
that referenced
this issue
Sep 26, 2024
Description: - Enforce initContainers to be compliant when PSS is set to restricted - As part of #1883
nimalank7
added a commit
that referenced
this issue
Sep 27, 2024
Description: - Enforce initContainers to be compliant when PSS is set to restricted - As part of #1883
nimalank7
added a commit
that referenced
this issue
Oct 2, 2024
Description: - Enforce initContainers to be compliant when PSS is set to restricted - As part of #1883
nimalank7
added a commit
that referenced
this issue
Oct 2, 2024
Description: - Enforce initContainers to be compliant when PSS is set to restricted - As part of #1883
nimalank7
added a commit
that referenced
this issue
Oct 2, 2024
Description: - Enforce initContainers in the `app` namespace to be compliant when PSS is set to (restricted)[https://kubernetes.io/docs/concepts/security/pod-security-standards/] - Tested in integration and observed that `content-data-admin` initContainers were starting properly - `govuk-mirror-sync-cronjob` can't be tested in integration as this has no mirrors so the PR will have to be merged and we will have to manually inspect staging ot see if it succeeds. - As part of #1883 - Paired with @MahmudH
nimalank7
added a commit
that referenced
this issue
Oct 3, 2024
Description: - Enforce initContainers in the `app` namespace to be compliant when PSS is set to [restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/) - Tested in integration and observed that `content-data-admin` initContainers were starting properly - `govuk-mirror-sync-cronjob` can't be tested in integration as this has no mirrors so the PR will have to be merged and we will have to manually inspect staging ot see if it succeeds. - As part of #1883 - Paired with @MahmudH
nimalank7
added a commit
that referenced
this issue
Oct 4, 2024
Description: - Enforce initContainers in the `app` namespace to be compliant when PSS is set to [restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/) - Tested in integration and observed that `content-data-admin` initContainers were starting properly - `govuk-mirror-sync-cronjob` can't be tested in integration as this has no mirrors so the PR will have to be merged and we will have to manually inspect staging ot see if it succeeds. - As part of #1883 - Paired with @MahmudH
nimalank7
added a commit
that referenced
this issue
Oct 4, 2024
Description: - Enforces this container to be compliant when PSS is set to [restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/) - As part of #1883
nimalank7
added a commit
to alphagov/govuk-infrastructure
that referenced
this issue
Dec 11, 2024
Description: - Add a statically provisioned EFS CSI Driver as part of a series of PRs to move asset-manager to `nfs` volume type. This is because dynamic provisioning causes errors - see https://trello.com/c/2XkadNJ2/1011-resolve-asset-manager-pvc-related-errors - PR only setups the IAM roles for the EFS CSI Driver. Follow up PR will install the EFS CSI driver. - See https://github.com/kubernetes-sigs/aws-efs-csi-driver/tree/master/ - As part of alphagov/govuk-helm-charts#1883
nimalank7
added a commit
to alphagov/govuk-infrastructure
that referenced
this issue
Dec 11, 2024
Description: - Add a statically provisioned EFS CSI Driver as part of a series of PRs to move asset-manager to `nfs` volume type. This is because dynamic provisioning causes errors - see https://trello.com/c/2XkadNJ2/1011-resolve-asset-manager-pvc-related-errors - PR only setups the IAM roles for the EFS CSI Driver. Follow up PR will install the EFS CSI driver. - See https://github.com/kubernetes-sigs/aws-efs-csi-driver/tree/master/ - As part of alphagov/govuk-helm-charts#1883
nimalank7
added a commit
to alphagov/govuk-infrastructure
that referenced
this issue
Dec 11, 2024
Description: - Adds a statically provisioned EFS CSI Driver as part of a series of PRs to move asset-manager from `nfs` volume type. This shouldn't affect the current NFS setup as it only provisions the driver not call the RPCs on it - #1549 added the IAM roles for EKS nodes to access EFS - See https://github.com/kubernetes-sigs/aws-efs-csi-driver/tree/master/ for configuration details - As part of alphagov/govuk-helm-charts#1883
nimalank7
added a commit
to alphagov/govuk-infrastructure
that referenced
this issue
Dec 12, 2024
Description: - Adds a statically provisioned EFS CSI Driver as part of a series of PRs to move asset-manager from `nfs` volume type. This shouldn't affect the current NFS setup as it only provisions the driver not call the RPCs on it - #1549 added the IAM roles for EKS nodes to access EFS - See https://github.com/kubernetes-sigs/aws-efs-csi-driver/tree/master/ for configuration details - As part of alphagov/govuk-helm-charts#1883
nimalank7
added a commit
to alphagov/govuk-infrastructure
that referenced
this issue
Dec 12, 2024
Description: - Adds a statically provisioned EFS CSI Driver as part of a series of PRs to move asset-manager from `nfs` volume type. This shouldn't affect the current NFS setup as it only provisions the driver not call the RPCs on it - #1549 added the IAM roles for EKS nodes to access EFS - See https://github.com/kubernetes-sigs/aws-efs-csi-driver/tree/master/ for configuration details - As part of alphagov/govuk-helm-charts#1883
nimalank7
added a commit
that referenced
this issue
Jan 13, 2025
… PSS restricted Description: - PSS restricted doesn't allow volume types of `nfs`(see [here](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted)) but does allow `PersistentVolume` - Refactor the NFS volume to use a `PersistentVolume` of type NFS - As part of #1883
nimalank7
added a commit
that referenced
this issue
Jan 13, 2025
… PSS restricted Description: - PSS restricted doesn't allow volume types of `nfs`(see [here](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted)) but does allow `PersistentVolume` - Refactor the NFS volume to use a `PersistentVolume` of type NFS - As part of #1883
nimalank7
added a commit
that referenced
this issue
Jan 13, 2025
… PSS restricted Description: - PSS restricted doesn't allow volume types of `nfs`(see [here](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted)) but does allow `PersistentVolume` - Refactor the NFS volume to use a `PersistentVolume` of type NFS - As part of #1883
nimalank7
added a commit
that referenced
this issue
Jan 14, 2025
… PSS restricted Description: - PSS restricted doesn't allow volume types of `nfs`(see [here](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted)) but does allow `PersistentVolume` - Refactor the NFS volume to use a `PersistentVolume` of type NFS - Both `asset-manager` and `licensify` use `clamav` export in NFS. However there is a 1-1 relationship between `PersistentVolume` and `PersistentVolumeClaim` so there needs to be multiple `PersistentVolume`s to export the same directory to multiple applications. Hence the name is `licensify-clamav-db`. - As part of #1883
nimalank7
added a commit
that referenced
this issue
Jan 14, 2025
Description: - In order to use `PersistentVolume` for NFS we have to allow ArgoCD to create them - As part of #1883
nimalank7
added a commit
that referenced
this issue
Jan 14, 2025
Description: - In order to use `PersistentVolume` NFS type instead of the NFS `Volume` type we have to allow ArgoCD to create them as they are cluster wide resources - As part of #1883
nimalank7
added a commit
to alphagov/govuk-infrastructure
that referenced
this issue
Jan 14, 2025
Description: - Argo Bootstrap chart has been incremented in alphagov/govuk-helm-charts#2897 - As part of alphagov/govuk-helm-charts#1883
This was referenced Jan 15, 2025
nimalank7
added a commit
that referenced
this issue
Jan 16, 2025
… PSS restricted Description: - PSS restricted doesn't allow volume types of `nfs`(see [here](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted)) but does allow `PersistentVolume` - Refactor the NFS volume to use a `PersistentVolume` of type NFS - Both `asset-manager` and `licensify` use `clamav` export in NFS. However there is a 1-1 relationship between `PersistentVolume` and `PersistentVolumeClaim` so there needs to be multiple `PersistentVolume`s to export the same directory to multiple applications. Hence the name is `licensify-clamav-db`. - As part of #1883
nimalank7
added a commit
that referenced
this issue
Jan 16, 2025
… PSS restricted Description: - PSS restricted doesn't allow volume types of `nfs`(see [here](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted)) but does allow `PersistentVolume` - Refactor the NFS volume to use a `PersistentVolume` of type NFS - Both `asset-manager` and `licensify` use `clamav` export in NFS. However there is a 1-1 relationship between `PersistentVolume` and `PersistentVolumeClaim` so there needs to be multiple `PersistentVolume`s to export the same directory to multiple applications. Hence the name is `licensify-clamav-db`. - As part of #1883
nimalank7
added a commit
to alphagov/govuk-infrastructure
that referenced
this issue
Jan 16, 2025
Description: - Currently the `licensify` namespace is created through ArgoCD [here](https://github.com/alphagov/govuk-helm-charts/blob/124ad9cfa5a25916d843838aa096dc0a5ab3f780/charts/app-config/templates/govuk-application.yaml#L61) - However in the case of the `apps` namespace the annotations set are managed by Terraform [here](https://github.com/alphagov/govuk-infrastructure/blob/00d22761c5d9e8cfde4dd517dd459ded54a87f37/terraform/deployments/cluster-services/argo.tf#L26). The [ArgoCD docs](https://argo-cd.readthedocs.io/en/stable/user-guide/sync-options/#namespace-metadata) mentions that if we have another manifest file for the same namespace the data in ArgoCD will be overwritten. Currently this isn't an issue but it makes sense to have a single entity managing things. It's easier to have the `licensify` namespace in Terraform as we currently have for `apps` and `datagovuk` - As part of alphagov/govuk-helm-charts#1883
nimalank7
added a commit
that referenced
this issue
Jan 16, 2025
- Licensify namespace is now managed by Terraform in alphagov/govuk-infrastructure#1571 - As part of #1883
nimalank7
added a commit
to alphagov/govuk-infrastructure
that referenced
this issue
Jan 16, 2025
Description: - Licensify is currently managed by Terraform in #1571 so import is no longer needed - As part of alphagov/govuk-helm-charts#1883
nimalank7
added a commit
to alphagov/govuk-infrastructure
that referenced
this issue
Jan 16, 2025
Description: - Enforce PSS to restricted on Licensify - As part of alphagov/govuk-helm-charts#1883
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We currently enforce the PSS baseline profile.
We want tighten that up to Restricted where possible (e.g.
appsnamespace), so that we don't have to worry about regressions in container permissions — i.e. application containers unintentionally/unnecessarily being granted system privileges in future.In other words, this:
We still have a couple of NFS clients (e.g. asset-manager), so we might need to work around that temporarily and/or pay down that tech debt and switch them to S3.
The text was updated successfully, but these errors were encountered: