Page MenuHomePhabricator

Set up PodSecurityPolicies in clusters
Open, MediumPublic

Description

Currently there is no restriction regarding security in our clusters, setting up PodSecurityPolicies will help us to ensure that containers are not run as root, privileged or with special capabilities.

Cluster services like coredns should have privileges to run with those capabilities and privileges since often they need it

Details

Related Gerrit Patches:
operations/puppet : productionk8s: enabling PodSecurityPolicy admission controller in staging
operations/deployment-charts : masterk8s: adding PodSecurityPolicies

Event Timeline

fsero created this task.Jul 25 2019, 9:15 AM

Change 525281 had a related patch set uploaded (by Fsero; owner: Fsero):
[operations/deployment-charts@master] k8s: adding PodSecurityPolicies

https://gerrit.wikimedia.org/r/525281

fsero triaged this task as Medium priority.Jul 25 2019, 9:26 AM
fsero moved this task from Backlog to Doing on the serviceops board.

Change 525281 had a related patch set uploaded (by Fsero; owner: Fsero):
[operations/deployment-charts@master] k8s: adding PodSecurityPolicies

https://gerrit.wikimedia.org/r/525281

Change 525281 merged by Fsero:
[operations/deployment-charts@master] k8s: adding PodSecurityPolicies

https://gerrit.wikimedia.org/r/525281

Change 525553 had a related patch set uploaded (by Fsero; owner: Fsero):
[operations/puppet@production] k8s: enabling PodSecurityPolicy admission controller in staging

https://gerrit.wikimedia.org/r/525553

Change 525553 merged by Fsero:
[operations/puppet@production] k8s: enabling PodSecurityPolicy admission controller in staging

https://gerrit.wikimedia.org/r/525553

Joe moved this task from Doing to Backlog on the serviceops board.Sep 11 2019, 7:14 AM