vault-operator icon indicating copy to clipboard operation
vault-operator copied to clipboard

Published 20 hours ago verified publisher icon coreos

Allow setting security context for vault and etcd pods

Open hasbro17 opened this issue 7 years ago • 1 comments

A k8s cluster can have admission control policies that can restrict the allowed pod security policy.

The vault-operator should allow a user to set the pod security policy for a vault cluster's pods via the PodPolicy field. https://github.com/coreos-inc/vault-operator/blob/master/pkg/apis/vault/v1alpha1/types.go#L79

Similarly for the EtcdCluster created by the vault-operator for a vault cluster, the PodSecurityPolicy should be configurable through the VaultService CR. https://github.com/coreos/etcd-operator/releases/tag/v0.9.2

hasbro17 avatar Apr 18 '18 17:04 hasbro17

You should see if you can make it work for dynamic UIDs too: https://docs.openshift.org/latest/creating_images/guidelines.html#openshift-specific-guidelines. Though, due to mounts in vanilla k8s, this is generally hard to make work without also setting fsGroup to 0 by default (in my experience).

chancez avatar Apr 19 '18 23:04 chancez