ingress-nginx icon indicating copy to clipboard operation
ingress-nginx copied to clipboard

Published 20 hours ago verified publisher icon kubernetes

Drop PSP and use PSA

Open rikatz opened this issue 9 months ago • 9 comments

PSP is not supported for a long time now, including the versions that we officially support on ingress-nginx

This PR drops PSP, and runs all the e2e tests using PSA + baseline enforcement

As a followup, we should test with "restricted" baseline and see if everything works fine (I don't think so, due to we binding to NodePort and port 80)

rikatz avatar Nov 02 '23 22:11 rikatz

Deploy Preview for kubernetes-ingress-nginx canceled.

Name Link
Latest commit 8d975d53872c90baea18df01a82e73cb3fc9e27e
Latest deploy log https://app.netlify.com/sites/kubernetes-ingress-nginx/deploys/6544261d47b5b4000887cb26

netlify[bot] avatar Nov 02 '23 22:11 netlify[bot]

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Nov 02 '23 22:11 k8s-ci-robot

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rikatz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

k8s-ci-robot avatar Nov 02 '23 22:11 k8s-ci-robot

Asked on https://github.com/helm/helm/issues/11194 about supporting PSA labels on Helm during namespace creation

rikatz avatar Nov 02 '23 22:11 rikatz

See this PR: https://github.com/kubernetes/ingress-nginx/pull/10491

It's working totally fine with Restricted as long as you do not enable the chroot mode.

Additionally and as long as this project is supporting Kubernetes v1.24, I'd not completely remove PSP but rather keep the option to disable it.

Your changes are also not adding the keys added in the values to the deployment in the Helm chart, only in the static files.

Gacko avatar Nov 03 '23 10:11 Gacko

@Gacko thanks!! On v1.24, we wont support it anymore on v1.10, so this is fine.

For the changes not adding to the deployment, this is the big deal :) I need to add those to the namespace label, and not deployment but we don't manage the namespace labels, so that's why I've asked on helm repo if there's a way to support it!

rikatz avatar Nov 03 '23 12:11 rikatz

Ah, yeah, my fault - I mixed things up. Of course this needs to be added to the namespace. Sorry for that!

Gacko avatar Nov 05 '23 21:11 Gacko

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Nov 08 '23 05:11 k8s-ci-robot

/assign

Gacko avatar Apr 04 '24 15:04 Gacko