zarf icon indicating copy to clipboard operation
zarf copied to clipboard

Published 20 hours ago verified publisher icon defenseunicorns

Zarf overwrites namespace labels required when deploying to env with restricted pod security standard

Open Ansible-man opened this issue 5 months ago • 11 comments

Environment

Device and OS: RHEL 9 App version: 0.38.3 Kubernetes distro being used: rke2 Other:

Steps to reproduce

  1. Create zarf namespace with labels that allow it to run in an environment that enforces the restricted pod security standard
  2. Deploy Zarf with zarf init command (we use a custom package that only has the zarf agent based on iron bank images)

Expected result

  1. Zarf leaves the existing NS labels alone

Actual Result

Zarf removes the labels and fails to deploy due to non compliance

Visual Proof (screenshots, videos, text, etc)

Severity/Priority

medium

Additional Context

Add any other context or screenshots about the technical debt here. Instead of requiring users to apply exceptions Zarf should natively comply with the Kubernetes restricted pod security standard. Especially when building it for a government use case.
Please see https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted

Ansible-man avatar Aug 27 '24 00:08 Ansible-man