cloud-on-k8s icon indicating copy to clipboard operation
cloud-on-k8s copied to clipboard

Published 20 hours ago verified publisher icon elastic

E2E: Use Kyverno to enforce security constraints

Open barkbay opened this issue 3 years ago • 3 comments

Alternative to https://github.com/elastic/cloud-on-k8s/pull/5820/

I think I'll close #5820 in favour of this one as Kyverno is simpler to apprehend. The Open Policy Agent is great, the idea of having ConstraintTemplates is interesting at a large scale, when there's a lot of projects on a cluster. It might however be a bit too involved wrt what we are trying to achieve here. We only want to enforce basic "static" policies on a couple of namespaces, and I don't think we really need the full power of the Rego policy language.

Fixes https://github.com/elastic/cloud-on-k8s/issues/5726

barkbay avatar Aug 01 '22 07:08 barkbay

run/e2e-tests tags=agent

barkbay avatar Aug 01 '22 08:08 barkbay

run/e2e-tests tags=agent

barkbay avatar Aug 01 '22 13:08 barkbay

run/e2e-tests

barkbay avatar Aug 01 '22 16:08 barkbay

Just to confirm, do we want to keep config/recipes/psp for a while, especially since it's referenced in the docs?

Yes. We however do not need to bind the roles in config/e2e/roles.yaml anymore, I'll remove these bindings.

barkbay avatar Aug 17 '22 10:08 barkbay

Jenkins test this please

barkbay avatar Aug 17 '22 11:08 barkbay

run/e2e-tests

barkbay avatar Aug 17 '22 11:08 barkbay

run/e2e-tests

barkbay avatar Aug 17 '22 12:08 barkbay

run/e2e-tests

barkbay avatar Aug 17 '22 12:08 barkbay

run/e2e-tests

barkbay avatar Aug 18 '22 08:08 barkbay