ROX-10034: Deactivate PodSecurityPolicies by default#1747
ROX-10034: Deactivate PodSecurityPolicies by default#1747mtesseract merged 14 commits intomasterfrom
Conversation
|
Skipping CI for Draft Pull Request. |
|
Tag for build #686872 is 💻 For deploying this image using the dev scripts, run the following first: export MAIN_IMAGE_TAG='3.70.x-438-gf1fd3fce33'🕹️ A |
61238b0 to
38763b1
Compare
818526b to
fb1d56f
Compare
fb1d56f to
1da8696
Compare
5e4b22e to
aa2ee54
Compare
|
Images are ready for the commit at f1fd3fc. To use with deploy scripts, first |
aa2ee54 to
aae9cbb
Compare
There was a problem hiding this comment.
LGTM from a code perspective.
Can you write in the PR description why PSPs are disabled by default for documentation purposes?
To be honest I forgot why we disable them by default immediately as kube 1.25 is not released yet and unsure about the impact it might has on roxctl based installations.
pkg/helm/charts/tests/centralservices/testdata/helmtest/central.test.yaml
Outdated
Show resolved
Hide resolved
SimonBaeumer
left a comment
There was a problem hiding this comment.
Only two small changes
roxctl/central/generate/generate.go
Outdated
| logger.InfofLn("Generating deployment bundle...") | ||
|
|
||
| if config.EnablePodSecurityPolicies { | ||
| logger.InfofLn("Central deployment bundle includes PodSecurityPolicies (PSPs). This is incompatible with Kubernetes >= v1.25.") |
There was a problem hiding this comment.
If the message excludes the deployment name it can be extracted into a function which can be called for all components and reducing duplicated code in all three places.
| logger.InfofLn("Central deployment bundle includes PodSecurityPolicies (PSPs). This is incompatible with Kubernetes >= v1.25.") | |
| logger.InfofLn("Deployment bundle includes PodSecurityPolicies (PSPs). This is incompatible with Kubernetes >= v1.25.") |
roxctl/central/generate/generate.go
Outdated
|
|
||
| if config.EnablePodSecurityPolicies { | ||
| logger.InfofLn("Central deployment bundle includes PodSecurityPolicies (PSPs). This is incompatible with Kubernetes >= v1.25.") | ||
| logger.InfofLn("Use --enable-pod-security-policies=false for disabling PodSecurityPolicies.") |
There was a problem hiding this comment.
I am not a grammar expert, but using this form sounds cleaner to me:
| logger.InfofLn("Use --enable-pod-security-policies=false for disabling PodSecurityPolicies.") | |
| logger.InfofLn("Use --enable-pod-security-policies=false to disable PodSecurityPolicies.") |
There was a problem hiding this comment.
I think you are right.
|
I have decided to implement auto-sensing in this PR, since otherwise master would be in a somewhat inconsistent state: deployment bundles have PSPs enabled by default and Helm charts have PSPs disabled by default. |
365cb7e to
8ada6f7
Compare
SimonBaeumer
left a comment
There was a problem hiding this comment.
Auto-Sensing LGTM!
Small notes:
- Extracting into one func the if-cases are missing
- Conflict with CHANGELOG
| values: | ||
| meta: | ||
| apiServer: | ||
| overrideAPIResources: |
There was a problem hiding this comment.
Interesting, never saw this, would like to learn a bit about it.
How does this work? Can you share a documentation link?
There was a problem hiding this comment.
Malte came up with this. It's an abstraction layer on top of Helm's lookup functionality which is quite convenient to use and valuable in particular for testing purposes, allows mocking (un)availability of APIs.
I don't have a pointer to documentation for this unfortunately.
roxctl/central/generate/generate.go
Outdated
| func OutputZip(logger logger.Logger, config renderer.Config) error { | ||
| logger.InfofLn("Generating deployment bundle...") | ||
|
|
||
| if config.EnablePodSecurityPolicies { |
There was a problem hiding this comment.
The logic of the if-case is still duplicated.
Moving this if-case to a function printPSPInfoLog(config.EnablePodSecurityPolicies) and call it from all other occurrences of this clause.
roxctl/scanner/generate/generate.go
Outdated
|
|
||
| func (cmd *scannerGenerateCommand) generate() error { | ||
| func (cmd *scannerGenerateCommand) generate(logger logger.Logger) error { | ||
| if cmd.enablePodSecurityPolicies { |
There was a problem hiding this comment.
Extract into one func
roxctl/sensor/generate/generate.go
Outdated
| } | ||
| s.setClusterDefaults(env) | ||
|
|
||
| if s.enablePodSecurityPolicies { |
There was a problem hiding this comment.
Extract into one func
…rds compatibility. Emit info logs in roxctl generate commands.
19c078c to
f1fd3fc
Compare
Description
This PR is built on top of #1249 and toggles the defaults for generating deprecated PodSecurityPolicies effectively disabling them by default while still supporting explicit generation of them.
Checklist
If any of these don't apply, please comment below.
Testing Performed
TODO(replace-me)
Use this space to explain how you tested your PR, or, if you didn't test it, why
you did not do so. Valid reasons include, for example, "CI is sufficient",
"No testable changes". Feel free to attach JSON snippets, curl commands,
screenshots.
In addition to reviewing your code, reviewers must also review your testing
instructions and make sure they are sufficient.