charts
charts copied to clipboard
DandyDeveloper
[chart/redis-ha][REQUEST] Migrate from Pod Security Policy to SecurityContext
Is your feature request related to a problem? Please describe.
Pod Security Policies are deprecated and will be removed in Kubernetes v1.25.
Migration to another alternative is necessary. To date there are some alternative solutions:
Describe the solution you'd like
A solution that is ecumenical and covers all the aforementioned alternatives is the use of Security Context directly in the manifest of the chart.
This change must involve both ha-server and ha-proxy.
Describe alternatives you've considered
A possible solution would be to implement all the major alternatives within the chart but it is certainly a more onerous job.
Additional context
Related to #29
kyverno-cli provides a convenient way to check the manifests statically.
The following command reports 7 violations of the PSS restricted profile policies:
kustomize build https://github.com/kyverno/policies//pod-security | \
kyverno apply -r \
<(helm template --repo https://dandydeveloper.github.io/charts redis-ha) \
-
Relates to https://github.com/haproxytech/helm-charts/issues/150
On it hopefully today or tomorrow. Sorry, this wasn't on my radar originally.
@joebowbeer @pierluigilenoci
@DandyDeveloper are you going to look into this? Kubernetes 1.25 is close and if this is going to be deprecated, it will become a real problem.
Yes, unfortunately just been busy and it's a holiday in Japan right now.
@joebowbeer @pierluigilenoci I'm on this now, I will need to step away and deal with it in the morning.
I'm currently using kyverno based on the pod-security policy. This all seems very sensible, I'm just working through and making sure the templating is accurate and working as intending.
@joebowbeer @pierluigilenoci Please take a look at the PR, I need a couple pair of eyes to confirm this looks good.