Page MenuHomePhabricator
Create Task
Maniphest T369491

Migrate aux cluster off of Pod Security Policies
Closed, ResolvedPublic
Actions

Description

As a pre-dependency for the next Kubernetes update, the cluster needs to be migrated from Pod Security Policies to Pod Security Standards.

The process is described in (feel free to extend where you see fit):
https://wikitech.wikimedia.org/wiki/Kubernetes/Clusters/PSP_replacement

Details

SubjectRepoBranchLines +/-
kubernetes: disable PSP for the AUX clusteroperations/puppetproduction+8 -0
admin_ng: enforce PSS for the AUX clusteroperations/deployment-chartsmaster+3 -3
jaeger: set securityContext for the oauth sidecaroperations/deployment-chartsmaster+3 -1
jaeger: swap securityContext with podSecurityContextoperations/deployment-chartsmaster+75 -19
aux-services: update Docker images for Jaegeroperations/deployment-chartsmaster+2 -2
admin_ng: set disablePSPMutations for AUXoperations/deployment-chartsmaster+6 -0
jaeger: add securityContext configurationoperations/deployment-chartsmaster+17 -11
aux: Add securityContext to istio componentsoperations/deployment-chartsmaster+9 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

JMeybohm created this task.Jul 8 2024, 10:08 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 8 2024, 10:08 AM
JMeybohm updated the task description. (Show Details)Jul 8 2024, 10:12 AM
JMeybohm mentioned this in T273507: PodSecurityPolicies will be deprecated with Kubernetes 1.21.Jul 8 2024, 10:19 AM
elukey added a project: User-Elukey.Jul 8 2024, 10:30 AM
gerritbot added a comment.Jul 8 2024, 10:39 AM

Change #1052700 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] aux: Add securityContext to istio components

https://gerrit.wikimedia.org/r/1052700

gerritbot added a project: Patch-For-Review.Jul 8 2024, 10:39 AM
bking subscribed.Jul 8 2024, 12:56 PM
CDanis subscribed.Jul 8 2024, 1:05 PM
gerritbot added a comment.Jul 8 2024, 1:42 PM

Change #1052700 merged by Elukey:

[operations/deployment-charts@master] aux: Add securityContext to istio components

https://gerrit.wikimedia.org/r/1052700

CDanis claimed this task.Jul 8 2024, 2:44 PM
CDanis triaged this task as Medium priority.
Maintenance_bot removed a project: Patch-For-Review.Jul 9 2024, 8:41 PM
elukey subscribed.Aug 27 2024, 4:08 PM
gerritbot added a comment.Aug 28 2024, 4:01 PM

Change #1068034 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/deployment-charts@master] jaeger: add securityContext configuration

https://gerrit.wikimedia.org/r/1068034

gerritbot added a project: Patch-For-Review.Aug 28 2024, 4:01 PM
elukey moved this task from Backlog to In Progress on the User-Elukey board.Aug 29 2024, 1:32 PM
gerritbot added a comment.Sep 5 2024, 1:47 PM

Change #1068034 merged by Elukey:

[operations/deployment-charts@master] jaeger: add securityContext configuration

https://gerrit.wikimedia.org/r/1068034

Maintenance_bot removed a project: Patch-For-Review.Sep 5 2024, 2:31 PM
elukey added a comment.Sep 6 2024, 8:08 AM
root@deploy1003:~# kube-env admin aux-k8s-eqiad 

root@deploy1003:~# kubectl get ns -l pod-security.kubernetes.io/audit=restricted -o name | while read ns; do
    kubectl label --dry-run=server --overwrite "$ns" pod-security.kubernetes.io/enforce=restricted;
done
namespace/cert-manager labeled
namespace/external-services labeled
namespace/istio-system labeled
namespace/jaeger labeled

root@deploy1003:~# kubectl get pods -A -o=jsonpath='{range .items[?(@.metadata.annotations.kubernetes\.io/psp!="privileged")]}{@.metadata.namespace}{" "}{@.metadata.annotations.kubernetes\.io/psp}{"\n"}{end}' | sort -u | column -t -s' ' | grep -v 'restricted$
gerritbot added a comment.Sep 6 2024, 8:11 AM

Change #1071132 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/deployment-charts@master] admin_ng: set disablePSPMutations for AUX

https://gerrit.wikimedia.org/r/1071132

gerritbot added a project: Patch-For-Review.Sep 6 2024, 8:11 AM
gerritbot added a comment.Sep 6 2024, 1:14 PM

Change #1071132 merged by Elukey:

[operations/deployment-charts@master] admin_ng: set disablePSPMutations for AUX

https://gerrit.wikimedia.org/r/1071132

elukey added a comment.Sep 6 2024, 1:26 PM

Next steps:

Maintenance_bot removed a project: Patch-For-Review.Sep 6 2024, 1:30 PM
gerritbot added a comment.Sep 10 2024, 1:15 PM

Change #1071872 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/deployment-charts@master] aux-services: update oauth2 image for Jaeger

https://gerrit.wikimedia.org/r/1071872

gerritbot added a project: Patch-For-Review.Sep 10 2024, 1:15 PM
gerritbot added a comment.Sep 11 2024, 8:46 AM

Change #1071872 merged by Elukey:

[operations/deployment-charts@master] aux-services: update Docker images for Jaeger

https://gerrit.wikimedia.org/r/1071872

elukey added a comment.Sep 11 2024, 9:16 AM

Found a violation:

annotations.authorization.k8s.io/decision
allow
	
annotations.authorization.k8s.io/reason
RBAC: allowed by ClusterRoleBinding "system:controller:replicaset-controller" of ClusterRole "system:controller:replicaset-controller" to ServiceAccount "replicaset-controller/kube-system"
	
annotations.pod-security.kubernetes.io/audit-violations
would violate PodSecurity "restricted:latest": seccompProfile (pod or container "main-jaeger-agent-oauth2-sidecar" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Maintenance_bot removed a project: Patch-For-Review.Sep 11 2024, 9:31 AM
gerritbot added a comment.Sep 11 2024, 9:39 AM

Change #1072156 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/deployment-charts@master] jaeger: swap securityContext with podSecurityContext

https://gerrit.wikimedia.org/r/1072156

gerritbot added a project: Patch-For-Review.Sep 11 2024, 9:39 AM
gerritbot added a comment.Sep 11 2024, 9:42 AM

Change #1072156 abandoned by Elukey:

[operations/deployment-charts@master] jaeger: swap securityContext with podSecurityContext

Reason:

sigh

https://gerrit.wikimedia.org/r/1072156

gerritbot added a comment.Sep 11 2024, 9:46 AM

Change #1072157 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/deployment-charts@master] jaeger: set securityContext for the oauth sidecar

https://gerrit.wikimedia.org/r/1072157

gerritbot added a comment.Sep 11 2024, 12:53 PM

Change #1072157 merged by Elukey:

[operations/deployment-charts@master] jaeger: set securityContext for the oauth sidecar

https://gerrit.wikimedia.org/r/1072157

gerritbot added a comment.Sep 11 2024, 1:03 PM

Change #1072196 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/deployment-charts@master] admin_ng: enforce PSS for the AUX cluster

https://gerrit.wikimedia.org/r/1072196

gerritbot added a comment.Sep 11 2024, 1:12 PM

Change #1072196 merged by Elukey:

[operations/deployment-charts@master] admin_ng: enforce PSS for the AUX cluster

https://gerrit.wikimedia.org/r/1072196

gerritbot added a comment.Sep 11 2024, 1:26 PM

Change #1072202 had a related patch set uploaded (by Elukey; author: Elukey):

[operations/puppet@production] kubernetes: disable PSP for the AUX cluster

https://gerrit.wikimedia.org/r/1072202

gerritbot added a comment.Sep 11 2024, 1:38 PM

Change #1072202 merged by Elukey:

[operations/puppet@production] kubernetes: disable PSP for the AUX cluster

https://gerrit.wikimedia.org/r/1072202

elukey closed this task as Resolved.Sep 11 2024, 1:45 PM

AUX migrated to PSS!

elukey added a comment.Sep 11 2024, 2:07 PM

Filed a PR for the upstream jaeger chart: https://github.com/jaegertracing/helm-charts/pull/600

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits