Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: make zarf-agent pods comply with offical restricted pod security standard #3036

Merged
merged 14 commits into from
Nov 1, 2024
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions packages/zarf-agent/manifests/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,12 @@ spec:
- name: private-registry
priorityClassName: system-node-critical
serviceAccountName: zarf
securityContext:
runAsUser: 1000
fsGroup: 2000
runAsGroup: 2000
seccompProfile:
type: "RuntimeDefault"
containers:
- name: server
image: "###ZARF_REGISTRY###/###ZARF_CONST_AGENT_IMAGE###:###ZARF_CONST_AGENT_IMAGE_TAG###"
Expand All @@ -32,6 +38,12 @@ spec:
scheme: HTTPS
ports:
- containerPort: 8443
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop: ["ALL"]
resources:
requests:
memory: "32Mi"
Expand Down
3 changes: 1 addition & 2 deletions src/test/nightly/ecr_publish_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -59,10 +59,9 @@ func TestECRPublishing(t *testing.T) {
require.NoError(t, err, stdOut, stdErr)

// Ensure we get a warning when trying to inspect the online published package
stdOut, stdErr, err = e2e.Zarf(t, "package", "inspect", upstreamPackageURL, keyFlag, "--sbom-out", tmpDir)
stdOut, stdErr, err = e2e.Zarf(t, "package", "inspect", upstreamPackageURL, keyFlag, "--sbom-out", tmpDir, "--skip-signature-validation")
require.NoError(t, err, stdOut, stdErr)
require.Contains(t, stdErr, "Validating SBOM checksums")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this being added to the test? Can we remove this.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I will rebase again and remove it. Not sure how it got in there.

require.Contains(t, stdErr, "Package signature validated!")

// Validate that we can pull the package down from ECR
stdOut, stdErr, err = e2e.Zarf(t, "package", "pull", upstreamPackageURL)
Expand Down