skupper icon indicating copy to clipboard operation
skupper copied to clipboard
verified publisher icon skupperproject

Add securityContext to skupper-router deployment

Open fgiorgetti opened this issue 1 month ago • 1 comments

Fixes #2326

fgiorgetti avatar Nov 25 '25 15:11 fgiorgetti

One point to discuss here. Would it be better if we add a new env var + flag to the Controller, so that we can define whether or not to use SCC / PSA at runtime, instead of using a static logic?

fgiorgetti avatar Nov 26 '25 13:11 fgiorgetti

@nluaces @c-kruse @hash-d Do you guys see any issue with keeping just the following entries:

top level securityContext (seccompProfile left out)

  • deployment.spec.template.spec.securityContext.runAsNonRoot (true)

all containers

  • deployment.spec.template.spec.containers[*].securityContext.allowPrivilegeEscalation (false)
  • deployment.spec.template.spec.containers[*].securityContext.capabilities (drop all)
  • deployment.spec.template.spec.containers[*].securityContext.runAsNonRoot (true)

all initContainers

  • deployment.spec.template.spec.initContainers[*].securityContext.allowPrivilegeEscalation (false)
  • deployment.spec.template.spec.initContainers[*].securityContext.capabilities (drop all)
  • deployment.spec.template.spec.initContainers[*].securityContext.runAsNonRoot (true)

I believe that even these agreed upon fields, could be added by default as part of the upcoming 2.2 release, but we could introduce a flag/env-var to disable this behavior, if someone needs that for any reason.

If you guys agree, I will make these changes and request a new round of review.

Thank you.

fgiorgetti avatar Dec 03 '25 22:12 fgiorgetti

@fgiorgetti that approach sounds good to me!

c-kruse avatar Dec 03 '25 22:12 c-kruse