OneDev
Dashboards
Projects
Global Views
Code Search
server
Code
Pull Requests
Issues
List
Boards
Iterations
Builds
Packages
Statistics
Child Projects
Audit Log
OneDev 15.1.6
Documentation Support & Bug Report RESTful API Incompatibilities License Agreement Check Update
Projects onedev server Issues OD-2764
Kubernetes Privileged Namespaces #2764
Alexander Hausen opened 1 month ago

Hi,

When we run builds on Kubernetes, we usually see the following PodSecurity warnings:

Kubernetes: Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "default" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "default" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "default" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "default" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Waiting for service to be ready...
....
Service is ready
Kubernetes: Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "init", "step-0", "step-1", "step-2-0", "step-2-1", "step-3-0", "step-3-1", "step-4", "sidecar" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "init", "step-0", "step-1", "step-2-0", "step-2-1", "step-3-0", "step-3-1", "step-4", "sidecar" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "init", "step-0", "step-1", "step-2-0", "step-2-1", "step-3-0", "step-3-1", "step-4", "sidecar" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "init", "step-0", "step-1", "step-2-0", "step-2-1", "step-3-0", "step-3-1", "step-4", "sidecar" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

We are using the auto-discovered Kubernetes executor. Would it be possible for the executor to label the namespaces it creates with something like the following?

pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged

This would prevent these warnings from appearing during builds and keep the build logs cleaner.

Thanks in advance!

Best regards, Alex

  • OneDev commented 2 weeks ago

    State changed as build OD-7442 is successful

  • OneDev changed state to 'Closed' 2 weeks ago
    Previous Value Current Value 
    Open
    		 
    Closed
1/1
Type
Improvement
Priority
Normal
Assignee
Robin Shen
Labels
No labels
Issue Votes (0)
Login to vote
Watchers (3)
Reference
OD-2764
Please wait...
Connection lost or session expired, reload to recover
Page is in error, reload to recover