WIP: Security Policy #7893
WIP: Security Policy #7893
Conversation
|
We found a Contributor License Agreement for you (the sender of this pull request) and all commit authors, but as best as we can tell these commits were authored by someone else. If that's the case, please add them to this pull request and have them confirm that they're okay with these commits being contributed to Google. If we're mistaken and you did author these commits, just reply here to confirm. |
pweil-
force-pushed
the
security-policy
branch
3 times, most recently
from
51f4ea3 to
e51c2ec
Compare
|
reorganized the commits to be in a more sane format for reviewing |
|
@erictune @smarterclayton @pmorie @deads2k @liggitt - I've distilled this down to just the design to gather feedback on the proposal and types. Please take a look. |
|
@pweil- This needs rebase now that service accounts are in. |
|
CLAs look good, thanks! |
|
Updated |
|
We found a Contributor License Agreement for you (the sender of this pull request) and all commit authors, but as best as we can tell these commits were authored by someone else. If that's the case, please add them to this pull request and have them confirm that they're okay with these commits being contributed to Google. If we're mistaken and you did author these commits, just reply here to confirm. |
|
CLAs look good, thanks! |
There was a problem hiding this comment.
Will remove, if everything falls into the users/groups categories suggested below then it's unnecessary
k8s-github-robot
removed
the
needs-rebase
|
GCE e2e build/test failed for commit 5c0a74902847e2bbb334693a014b0a07cab55867. |
|
PR needs rebase |
k8s-github-robot
added
the
needs-rebase
pweil-
force-pushed
the
security-policy
branch
from
5c0a749 to
c22f348
Compare
k8s-github-robot
removed
the
needs-rebase
erictune
added
the
lgtm
|
GCE e2e test build/test passed for commit c22f348. |
|
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
|
GCE e2e test build/test passed for commit c22f348. |
|
Automatic merge from submit-queue |
Auto commit by PR queue bot
|
Special award for longest-lived PR that eventually merged! |
|
😃 rofl |
|
How much work is it to write an admission controller that looks at PSPs but treats all users and groups the same? |
|
not a ton. Can probably be done by the end of next week based on my other commitments. It would include:
Most of this is just a straight migration from what is already in OpenShift and whittling it down to be less specific. |
|
Aaand it broke the build: I'll send a fix in a second. |
|
thanks @gmarek - hrm I was running update-all/verify-all after every rebase I'm surprised it broke. Apologies |
|
Np:) It was tempting to revert this PR, just to make it hang there a little longer ;) |
you have no idea how glad I am that you didn't. 🍻 |
|
@gmarek - crap, this does need reverted. It does not have my changes for disabling the resource by default and the comment updates that were requested. New PR or revert and fix this one? |
|
Not as bad as I thought, I just reverted my disabling of the resource. All the comment updates where in there. Fix: #20721 |
20 participants
I'd like to get some feedback to lock down the interactions with how the service account defines and enforces policy which results in a security context on the pod. This contains some types that @pmorie and I came up with that defines a
SecurityPolicyobject that can be configured with constraints as well as strategies to help enforce and create a security context.This PR is based on @liggitt 's service account PR, only the last commit contains new code.
@smarterclayton @erictune @pmorie @liggitt - PTAL and see if this is the approach to move forward. If this is ok then I'll update the design docs with use cases and types.
edit: I've distilled this down to just the design to make it easier.