-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Roll out PSS Restricted profile. #1883
Labels
k8s
Kubernetes
Comments
This was
linked to
pull requests
Mar 4, 2024
Ah nuts, auto-closed this by mistake somehow or other. |
It's not rolled out until we're in enforcement mode. Should be mostly just trivial template fixes, plus the not-so-trivial NFS question. |
This was referenced May 1, 2024
This was
unlinked from
pull requests
May 1, 2024
nimalank7
added a commit
that referenced
this issue
Sep 25, 2024
Description: - Enforce initContainers to be compliant when PSS is set to restricted - As part of #1883
MahmudH
pushed a commit
that referenced
this issue
Sep 26, 2024
Description: - Enforce initContainers to be compliant when PSS is set to restricted - As part of #1883
MahmudH
pushed a commit
that referenced
this issue
Sep 26, 2024
Description: - Enforce initContainers to be compliant when PSS is set to restricted - As part of #1883
MahmudH
pushed a commit
that referenced
this issue
Sep 26, 2024
Description: - Enforce initContainers to be compliant when PSS is set to restricted - As part of #1883
MahmudH
pushed a commit
that referenced
this issue
Sep 26, 2024
Description: - Enforce initContainers to be compliant when PSS is set to restricted - As part of #1883
nimalank7
added a commit
that referenced
this issue
Sep 27, 2024
Description: - Enforce initContainers to be compliant when PSS is set to restricted - As part of #1883
nimalank7
added a commit
that referenced
this issue
Oct 2, 2024
Description: - Enforce initContainers to be compliant when PSS is set to restricted - As part of #1883
nimalank7
added a commit
that referenced
this issue
Oct 2, 2024
Description: - Enforce initContainers to be compliant when PSS is set to restricted - As part of #1883
nimalank7
added a commit
that referenced
this issue
Oct 2, 2024
Description: - Enforce initContainers in the `app` namespace to be compliant when PSS is set to (restricted)[https://kubernetes.io/docs/concepts/security/pod-security-standards/] - Tested in integration and observed that `content-data-admin` initContainers were starting properly - `govuk-mirror-sync-cronjob` can't be tested in integration as this has no mirrors so the PR will have to be merged and we will have to manually inspect staging ot see if it succeeds. - As part of #1883 - Paired with @MahmudH
nimalank7
added a commit
that referenced
this issue
Oct 3, 2024
Description: - Enforce initContainers in the `app` namespace to be compliant when PSS is set to [restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/) - Tested in integration and observed that `content-data-admin` initContainers were starting properly - `govuk-mirror-sync-cronjob` can't be tested in integration as this has no mirrors so the PR will have to be merged and we will have to manually inspect staging ot see if it succeeds. - As part of #1883 - Paired with @MahmudH
nimalank7
added a commit
that referenced
this issue
Oct 4, 2024
Description: - Enforce initContainers in the `app` namespace to be compliant when PSS is set to [restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/) - Tested in integration and observed that `content-data-admin` initContainers were starting properly - `govuk-mirror-sync-cronjob` can't be tested in integration as this has no mirrors so the PR will have to be merged and we will have to manually inspect staging ot see if it succeeds. - As part of #1883 - Paired with @MahmudH
nimalank7
added a commit
that referenced
this issue
Oct 4, 2024
Description: - Enforces this container to be compliant when PSS is set to [restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/) - As part of #1883
nimalank7
added a commit
to alphagov/govuk-infrastructure
that referenced
this issue
Nov 26, 2024
- As part of alphagov/govuk-helm-charts#1883
nimalank7
added a commit
to alphagov/govuk-infrastructure
that referenced
this issue
Nov 27, 2024
Description: - As part of alphagov/govuk-helm-charts#1883
nimalank7
added a commit
to alphagov/govuk-infrastructure
that referenced
this issue
Nov 29, 2024
Description: - Nothing uses this anymore - As part of alphagov/govuk-helm-charts#1883
nimalank7
added a commit
to alphagov/govuk-infrastructure
that referenced
this issue
Nov 29, 2024
Description: - Nothing uses this anymore - As part of alphagov/govuk-helm-charts#1883
nimalank7
added a commit
that referenced
this issue
Dec 2, 2024
Description: - post-sync failures aren't being reported to `#govuk-deploy-arts` and give the following error message: ```level=error msg="cannot save parameter /tmp/message.txt" argo=true error="open /tmp/message.txt: no such file or directory"``` - This is due to alphagov/govuk-infrastructure@e7e840d setting Argo Workflow pods as `readOnlyRootFileSystem` - Solution is to mount `/tmp` in so the pod can write to it - As part of #1883
nimalank7
added a commit
that referenced
this issue
Dec 2, 2024
Description: - post-sync failures aren't being reported to `#govuk-deploy-arts` and give the following error message: ```level=error msg="cannot save parameter /tmp/message.txt" argo=true error="open /tmp/message.txt: no such file or directory"``` - This is due to alphagov/govuk-infrastructure@e7e840d setting Argo Workflow pods as `readOnlyRootFileSystem` - Solution is to mount `/tmp` in so the pod can write to it - As part of #1883
nimalank7
added a commit
to alphagov/govuk-infrastructure
that referenced
this issue
Dec 5, 2024
Description: - https://github.com/alphagov/govuk-infrastructure/pull/725/files introduced the EBS CSI Driver which created EFS for ClamAV - Next https://github.com/alphagov/govuk-helm-charts/pull/508/files allowed ClamAV to talk to EFS over NFS exposing over clamav-db-govuk.integration.govuk-internal.digital - However this didn’t work so ClamAV was switched to use the EFS CSI driver in https://github.com/alphagov/govuk-helm-charts/pull/514/files. But this removes the reference to clamav-db-govuk.integration.govuk-internal.digital - #790 removes the EFS CSI driver - Next https://github.com/alphagov/govuk-helm-charts/pull/572/files makes ClamAV share the EFS instance via the same NFS mount as asset manager. - Now there is a dangling reference to ClamAV EFS instance which can be safely removed as nothing references it anymore. - As part of alphagov/govuk-helm-charts#1883
nimalank7
added a commit
to alphagov/govuk-infrastructure
that referenced
this issue
Dec 5, 2024
Description: - https://github.com/alphagov/govuk-infrastructure/pull/725/files introduced the EBS CSI Driver which created EFS for ClamAV - Next https://github.com/alphagov/govuk-helm-charts/pull/508/files allowed ClamAV to talk to EFS over NFS exposing over clamav-db-govuk.integration.govuk-internal.digital - However this didn’t work so ClamAV was switched to use the EFS CSI driver in https://github.com/alphagov/govuk-helm-charts/pull/514/files. But this removes the reference to clamav-db-govuk.integration.govuk-internal.digital - #790 removes the EFS CSI driver - Next https://github.com/alphagov/govuk-helm-charts/pull/572/files makes ClamAV share the EFS instance via the same NFS mount as asset manager. - Now there is a dangling reference to ClamAV EFS instance which can be safely removed as nothing references it anymore. - As part of alphagov/govuk-helm-charts#1883
nimalank7
added a commit
to alphagov/govuk-infrastructure
that referenced
this issue
Dec 5, 2024
Description: - #725 introduced the EBS CSI Driver which created EFS for ClamAV - Next alphagov/govuk-helm-charts#508 allowed ClamAV to talk to EFS over NFS exposing over clamav-db-govuk.integration.govuk-internal.digital - However this didn’t work so ClamAV was switched to use the EFS CSI driver in alphagov/govuk-helm-charts#514. But this removes the reference to clamav-db-govuk.integration.govuk-internal.digital - #790 removes the EFS CSI driver - Next alphagov/govuk-helm-charts#572 makes ClamAV share the EFS instance via the same NFS mount as asset manager. - Now there is a dangling reference to ClamAV EFS instance which can be safely removed as nothing references it anymore. - As part of alphagov/govuk-helm-charts#1883
nimalank7
added a commit
to alphagov/govuk-infrastructure
that referenced
this issue
Dec 5, 2024
Description: - as - As part of alphagov/govuk-helm-charts#1883
nimalank7
added a commit
to alphagov/govuk-infrastructure
that referenced
this issue
Dec 5, 2024
Description: - Currently assets are stored in `assets_efs` EFS after scanning by ClamAV prior to upload to S3. These are transferred via an NFS mount in each of their pods. We want to move away from this as `nfs` volume type isn't compatible with PSS restricted - Install the EFS CSI Driver as a first step to migrate from NFS to PersistentVolumes - As part of alphagov/govuk-helm-charts#1883
nimalank7
added a commit
to alphagov/govuk-infrastructure
that referenced
this issue
Dec 5, 2024
Description: - Currently assets are stored in `assets_efs` EFS after scanning by ClamAV prior to upload to S3. These are transferred via an NFS mount in each of their pods. We want to move away from this as `nfs` volume type isn't compatible with PSS restricted - Install the EFS CSI Driver as a first step to migrate from NFS to PersistentVolumes - As part of alphagov/govuk-helm-charts#1883
nimalank7
added a commit
to alphagov/govuk-infrastructure
that referenced
this issue
Dec 5, 2024
Description: - Currently assets are stored in `assets_efs` EFS after scanning by ClamAV prior to upload to S3. These are transferred via an NFS mount in each of their pods. We want to move away from this as `nfs` volume type isn't compatible with PSS restricted - Install the EFS CSI Driver as a first step to migrate from NFS to PersistentVolumes - As part of alphagov/govuk-helm-charts#1883
nimalank7
added a commit
to alphagov/govuk-infrastructure
that referenced
this issue
Dec 11, 2024
Description: - as - As part of alphagov/govuk-helm-charts#1883
nimalank7
added a commit
to alphagov/govuk-infrastructure
that referenced
this issue
Dec 11, 2024
Description: - Add a statically provisioned EFS CSI Driver as part of a series of PRs to move asset-manager to `nfs` volume type - PR only installs the CSI Driver but doesn't provision an EFS volume until a `PersistentVolumeClaim` is created in the Helm Chart - See https://github.com/kubernetes-sigs/aws-efs-csi-driver/tree/master/examples/kubernetes/static_provisioning - As part of alphagov/govuk-helm-charts#1883
nimalank7
added a commit
to alphagov/govuk-infrastructure
that referenced
this issue
Dec 11, 2024
Description: - Add a statically provisioned EFS CSI Driver as part of a series of PRs to move asset-manager to `nfs` volume type. This is because dynamic provisioning causes errors - see https://trello.com/c/2XkadNJ2/1011-resolve-asset-manager-pvc-related-errors - PR only installs the CSI Driver but doesn't provision an EFS volume until a `PersistentVolumeClaim` is created in the Helm Chart - See https://github.com/kubernetes-sigs/aws-efs-csi-driver/tree/master/examples/kubernetes/static_provisioning - As part of alphagov/govuk-helm-charts#1883
nimalank7
added a commit
to alphagov/govuk-infrastructure
that referenced
this issue
Dec 11, 2024
Description: - Add a statically provisioned EFS CSI Driver as part of a series of PRs to move asset-manager to `nfs` volume type. This is because dynamic provisioning causes errors - see https://trello.com/c/2XkadNJ2/1011-resolve-asset-manager-pvc-related-errors - PR only installs the CSI Driver but doesn't provision an EFS volume until a `PersistentVolumeClaim` is created in the Helm Chart - See https://github.com/kubernetes-sigs/aws-efs-csi-driver/tree/master/examples/kubernetes/static_provisioning - As part of alphagov/govuk-helm-charts#1883
nimalank7
added a commit
to alphagov/govuk-infrastructure
that referenced
this issue
Dec 11, 2024
Description: - Add a statically provisioned EFS CSI Driver as part of a series of PRs to move asset-manager to `nfs` volume type. This is because dynamic provisioning causes errors - see https://trello.com/c/2XkadNJ2/1011-resolve-asset-manager-pvc-related-errors - PR only installs the CSI Driver but doesn't provision an EFS volume until a `PersistentVolumeClaim` is created in the Helm Chart - See https://github.com/kubernetes-sigs/aws-efs-csi-driver/tree/master/examples/kubernetes/static_provisioning and https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/charts/aws-efs-csi-driver/values.yaml for Helm values - As part of alphagov/govuk-helm-charts#1883
nimalank7
added a commit
to alphagov/govuk-infrastructure
that referenced
this issue
Dec 11, 2024
Description: - Add a statically provisioned EFS CSI Driver as part of a series of PRs to move asset-manager to `nfs` volume type. This is because dynamic provisioning causes errors - see https://trello.com/c/2XkadNJ2/1011-resolve-asset-manager-pvc-related-errors - PR only setups the IAM roles for the EFS CSI Driver. Follow up PR will install the EFS CSI driver. - See https://github.com/kubernetes-sigs/aws-efs-csi-driver/tree/master/ - As part of alphagov/govuk-helm-charts#1883
nimalank7
added a commit
to alphagov/govuk-infrastructure
that referenced
this issue
Dec 11, 2024
Description: - Add a statically provisioned EFS CSI Driver as part of a series of PRs to move asset-manager to `nfs` volume type. This is because dynamic provisioning causes errors - see https://trello.com/c/2XkadNJ2/1011-resolve-asset-manager-pvc-related-errors - PR only setups the IAM roles for the EFS CSI Driver. Follow up PR will install the EFS CSI driver. - See https://github.com/kubernetes-sigs/aws-efs-csi-driver/tree/master/ - As part of alphagov/govuk-helm-charts#1883
nimalank7
added a commit
to alphagov/govuk-infrastructure
that referenced
this issue
Dec 11, 2024
Description: - Add a statically provisioned EFS CSI Driver as part of a series of PRs to move asset-manager to `nfs` volume type. This is because dynamic provisioning causes errors - see https://trello.com/c/2XkadNJ2/1011-resolve-asset-manager-pvc-related-errors - PR only setups the IAM roles for the EFS CSI Driver. Follow up PR will install the EFS CSI driver. - See https://github.com/kubernetes-sigs/aws-efs-csi-driver/tree/master/ - As part of alphagov/govuk-helm-charts#1883
nimalank7
added a commit
to alphagov/govuk-infrastructure
that referenced
this issue
Dec 11, 2024
Description: - Adds a statically provisioned EFS CSI Driver as part of a series of PRs to move asset-manager from `nfs` volume type. This shouldn't affect the current NFS setup as it only provisions the driver not call the RPCs on it - #1549 added the IAM roles for EKS nodes to access EFS - See https://github.com/kubernetes-sigs/aws-efs-csi-driver/tree/master/ for configuration details - As part of alphagov/govuk-helm-charts#1883
nimalank7
added a commit
to alphagov/govuk-infrastructure
that referenced
this issue
Dec 12, 2024
Description: - Adds a statically provisioned EFS CSI Driver as part of a series of PRs to move asset-manager from `nfs` volume type. This shouldn't affect the current NFS setup as it only provisions the driver not call the RPCs on it - #1549 added the IAM roles for EKS nodes to access EFS - See https://github.com/kubernetes-sigs/aws-efs-csi-driver/tree/master/ for configuration details - As part of alphagov/govuk-helm-charts#1883
nimalank7
added a commit
to alphagov/govuk-infrastructure
that referenced
this issue
Dec 12, 2024
Description: - Adds a statically provisioned EFS CSI Driver as part of a series of PRs to move asset-manager from `nfs` volume type. This shouldn't affect the current NFS setup as it only provisions the driver not call the RPCs on it - #1549 added the IAM roles for EKS nodes to access EFS - See https://github.com/kubernetes-sigs/aws-efs-csi-driver/tree/master/ for configuration details - As part of alphagov/govuk-helm-charts#1883
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We currently enforce the PSS baseline profile.
We want tighten that up to Restricted where possible (e.g.
apps
namespace), so that we don't have to worry about regressions in container permissions — i.e. application containers unintentionally/unnecessarily being granted system privileges in future.In other words, this:
We still have a couple of NFS clients (e.g. asset-manager), so we might need to work around that temporarily and/or pay down that tech debt and switch them to S3.
The text was updated successfully, but these errors were encountered: