substra-backend icon indicating copy to clipboard operation
substra-backend copied to clipboard

Published 20 hours ago verified publisher icon Substra

chore: enforce pod security standards

Open SdgJlbl opened this issue 10 months ago • 5 comments

Fixes FL-1453

How to test:

Deploy locally (with skaffold), and then apply labels:

kubectl label --dry-run=server --overwrite ns org-2 pod-security.kubernetes.io/enforce=baseline

or

kubectl label --dry-run=server --overwrite ns org-2 pod-security.kubernetes.io/enforce=restricted

The baseline profile should yield no warning. The restricted profile will show a few warnings, we are trying to remove.

SdgJlbl avatar Apr 29 '24 13:04 SdgJlbl

FL-1453 Ensure capabilities of substra-backend pods are restricted to the minimum

linear[bot] avatar Apr 29 '24 13:04 linear[bot]

/e2e --tests sdk

ThibaultFy avatar Apr 29 '24 15:04 ThibaultFy

End to end tests: :x: FAILURE

Jobs status:

“Boy, that escalated quickly.” ― Ron Burgundy, Anchorman: The Legend of Ron Burgundy

Owlfred avatar Apr 29 '24 15:04 Owlfred

It seems to miss a permission for accessing substra namespace

Error: INSTALLATION FAILED: rendered manifests contain a resource that already exists. Unable to continue with install: could not get information about the resource Namespace "substra" in namespace "": namespaces "substra" is forbidden: User "[email protected]" cannot get resource "namespaces" in API group "" in the namespace "substra": requires one of ["container.namespaces.get"] permission(s).

ThibaultFy avatar Apr 29 '24 15:04 ThibaultFy

It seems to miss a permission for accessing substra namespace

Error: INSTALLATION FAILED: rendered manifests contain a resource that already exists. Unable to continue with install: could not get information about the resource Namespace "substra" in namespace "": namespaces "substra" is forbidden: User "[email protected]" cannot get resource "namespaces" in API group "" in the namespace "substra": requires one of ["container.namespaces.get"] permission(s).

The namespace.yaml is just an example to test, but I'll remove it from this PR, since it's confusing.

SdgJlbl avatar Apr 30 '24 15:04 SdgJlbl

/e2e --tests=sdk,doc

SdgJlbl avatar May 29 '24 08:05 SdgJlbl

End to end tests: :x: FAILURE

Jobs status:

Too bad.

Owlfred avatar May 29 '24 08:05 Owlfred

/e2e --tests=sdk,doc

thbcmlowk avatar May 29 '24 12:05 thbcmlowk

End to end tests: :heavy_check_mark: SUCCESS

Aw yeah!

Owlfred avatar May 29 '24 12:05 Owlfred

/e2e --tests=sdk,doc

SdgJlbl avatar May 29 '24 12:05 SdgJlbl

End to end tests: :heavy_check_mark: SUCCESS

Owlfred avatar May 29 '24 12:05 Owlfred

/e2e --tests=sdk,doc

SdgJlbl avatar May 30 '24 09:05 SdgJlbl

End to end tests: :heavy_check_mark: SUCCESS

Congratulations!

Owlfred avatar May 30 '24 09:05 Owlfred

Are we?

1. Testing the charts in a `alpha` version before merging (once dev is available)

2. Merging then testing the charts + code in `alpha` on dev

I would recommend going for (1) as the code update is very minor.

I would also be in favour of 1 (and the whole thing will be tested at the next release anyway)

SdgJlbl avatar May 30 '24 09:05 SdgJlbl

Tested on dev with Camelyon, the compute plans ran correctly. Screenshot 2024-06-06 at 16 01 30

SdgJlbl avatar Jun 06 '24 14:06 SdgJlbl