Page MenuHomePhabricator
Create Task
Maniphest T362978

Update all helm modules and charts to be compatible with the restricted PSS
Open, HighPublic
Actions

Description

We need to update all helm chart modules (and all charts ofc.) to be compatible with the restricted PSS profile.

As far as I can tell rn this is mostly adding a proper securityContext to all containers:

securityContext:
  allowPrivilegeEscalation: false
  capabilities:
     drop:
     - ALL
  runAsNonRoot: true
  seccompProfile:
    type: RuntimeDefault

There is another "update everything" task at: T346638: Rename the envoy's uses_ingress option to sets_sni to cross check for synergy effects...

Details

SubjectRepoBranchLines +/-
benthos: adopt securityContext and base.external-services-networkpolicyoperations/deployment-chartsmaster+82 -26
aqs-http-gateway: add securityContext to all containersoperations/deployment-chartsmaster+172 -79
ipiod: ensure all containers have securityContextoperations/deployment-chartsmaster+196 -102
changeprop: add securityContext to all containersoperations/deployment-chartsmaster+27 -10
blubberoid: add securityContext to all containersoperations/deployment-chartsmaster+24 -9
citoid: add securityContext to all containersoperations/deployment-chartsmaster+161 -96
cxserver: add securityContext to all containersoperations/deployment-chartsmaster+31 -16
api-gateway: add securityContext to all containersoperations/deployment-chartsmaster+138 -71
apertium: add securityContext to all containersoperations/deployment-chartsmaster+25 -9
mathoid: add securityContext to all containersoperations/deployment-chartsmaster+151 -86
kserve-inference: add securityContext explicit configoperations/deployment-chartsmaster+17 -2
modules: Add restrictedSecurityContext to statsdoperations/deployment-chartsmaster+2 -2
New version of statds moduleoperations/deployment-chartsmaster+78 -0
eventgate: Add securityContext for all containersoperations/deployment-chartsmaster+24 -9
modules: Add restrictedSecurityContext to all containersoperations/deployment-chartsmaster+32 -7
Fix mcrouter module to work out of the box from scaffoldoperations/deployment-chartsmaster+42 -37
New module versionsoperations/deployment-chartsmaster+1 K -0
Show related patches Customize query in gerrit

Related Objects
Search...

Event Timeline

JMeybohm triaged this task as High priority.Fri, Apr 19, 12:41 PM
JMeybohm created this task.
JMeybohm mentioned this in T273507: PodSecurityPolicies will be deprecated with Kubernetes 1.21.
gerritbot added a comment.Fri, Apr 19, 1:00 PM

Change #1021917 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] New module versions

https://gerrit.wikimedia.org/r/1021917

gerritbot added a project: Patch-For-Review.Fri, Apr 19, 1:00 PM

Change #1021918 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] Fix mcrouter module to work our of the box from scaffold

https://gerrit.wikimedia.org/r/1021918

JMeybohm updated the task description. (Show Details)Fri, Apr 19, 1:20 PM
bking subscribed.Fri, Apr 19, 1:34 PM
gerritbot added a comment.Fri, Apr 19, 7:19 PM

Change #1022161 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] modules: Add restrictedSecurityContext to all containers

https://gerrit.wikimedia.org/r/1022161

gerritbot added a comment.Fri, Apr 19, 7:24 PM

Change #1022164 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] eventgate: Add securityContext for all containers

https://gerrit.wikimedia.org/r/1022164

JMeybohm mentioned this in T359423: Migrate charts to Calico Network Policies.Tue, Apr 23, 10:15 AM
gerritbot added a comment.Thu, Apr 25, 8:04 AM

Change #1021917 merged by jenkins-bot:

[operations/deployment-charts@master] New module versions

https://gerrit.wikimedia.org/r/1021917

gerritbot added a comment.Thu, Apr 25, 8:04 AM

Change #1021918 merged by jenkins-bot:

[operations/deployment-charts@master] Fix mcrouter module to work out of the box from scaffold

https://gerrit.wikimedia.org/r/1021918

gerritbot added a comment.Thu, Apr 25, 8:04 AM

Change #1022161 merged by jenkins-bot:

[operations/deployment-charts@master] modules: Add restrictedSecurityContext to all containers

https://gerrit.wikimedia.org/r/1022161

gerritbot added a comment.Thu, Apr 25, 8:06 AM

Change #1022164 merged by jenkins-bot:

[operations/deployment-charts@master] eventgate: Add securityContext for all containers

https://gerrit.wikimedia.org/r/1022164

Maintenance_bot removed a project: Patch-For-Review.Fri, Apr 26, 6:29 PM
gerritbot added a comment.Thu, May 2, 12:53 PM

Change #1026555 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] New version of statds module

https://gerrit.wikimedia.org/r/1026555

gerritbot added a project: Patch-For-Review.Thu, May 2, 12:53 PM

Change #1026556 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] modules: Add restrictedSecurityContext to statsd

https://gerrit.wikimedia.org/r/1026556

gerritbot added a comment.Fri, May 3, 3:00 PM

Change #1026555 merged by jenkins-bot:

[operations/deployment-charts@master] New version of statds module

https://gerrit.wikimedia.org/r/1026555

gerritbot added a comment.Fri, May 3, 3:00 PM

Change #1026556 merged by jenkins-bot:

[operations/deployment-charts@master] modules: Add restrictedSecurityContext to statsd

https://gerrit.wikimedia.org/r/1026556

gerritbot added a comment.Fri, May 3, 3:17 PM

Change #1026954 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/deployment-charts@master] kserve-inference: add securityContext explicit config

https://gerrit.wikimedia.org/r/1026954

Scott_French subscribed.Fri, May 3, 10:26 PM
gerritbot added a comment.Fri, May 3, 10:27 PM

Change #1027050 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] mathoid: add securityContext to all containers

https://gerrit.wikimedia.org/r/1027050

gerritbot added a comment.Mon, May 6, 2:56 PM

Change #1027050 merged by jenkins-bot:

[operations/deployment-charts@master] mathoid: add securityContext to all containers

https://gerrit.wikimedia.org/r/1027050

gerritbot added a comment.Mon, May 6, 9:54 PM

Change #1028604 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] apertium: add securityContext to all containers

https://gerrit.wikimedia.org/r/1028604

gerritbot added a comment.Mon, May 6, 9:54 PM

Change #1028605 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] api-gateway: add securityContext to all containers

https://gerrit.wikimedia.org/r/1028605

gerritbot added a comment.Tue, May 7, 5:06 PM

Change #1028604 merged by jenkins-bot:

[operations/deployment-charts@master] apertium: add securityContext to all containers

https://gerrit.wikimedia.org/r/1028604

gerritbot added a comment.Tue, May 7, 11:18 PM

Change #1028910 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] benthos: add securityContext to all containers

https://gerrit.wikimedia.org/r/1028910

gerritbot added a comment.Tue, May 7, 11:18 PM

Change #1028911 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] blubberoid: add securityContext to all containers

https://gerrit.wikimedia.org/r/1028911

gerritbot added a comment.Wed, May 8, 3:00 PM

Change #1028605 merged by jenkins-bot:

[operations/deployment-charts@master] api-gateway: add securityContext to all containers

https://gerrit.wikimedia.org/r/1028605

gerritbot added a comment.Fri, May 10, 4:51 PM

Change #1030190 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] changeprop: add securityContext to all containers

https://gerrit.wikimedia.org/r/1030190

gerritbot added a comment.Fri, May 10, 4:55 PM

Change #1030191 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] citoid: add securityContext to all containers

https://gerrit.wikimedia.org/r/1030191

gerritbot added a comment.Fri, May 10, 4:57 PM

Change #1030195 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] cxserver: add securityContext to all containers

https://gerrit.wikimedia.org/r/1030195

gerritbot added a comment.Mon, May 13, 6:00 PM

Change #1028911 merged by jenkins-bot:

[operations/deployment-charts@master] blubberoid: add securityContext to all containers

https://gerrit.wikimedia.org/r/1028911

gerritbot added a comment.Tue, May 14, 12:34 AM

Change #1031105 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] DNM: ipiod: ensure all containers have securityContext

https://gerrit.wikimedia.org/r/1031105

gerritbot added a comment.Tue, May 14, 3:15 PM

Change #1031497 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] aqs-http-gateway: add securityContext to all containers

https://gerrit.wikimedia.org/r/1031497

gerritbot added a comment.Tue, May 14, 3:43 PM

Change #1028910 merged by jenkins-bot:

[operations/deployment-charts@master] benthos: adopt securityContext and base.external-services-networkpolicy

https://gerrit.wikimedia.org/r/1028910

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL