Skip to content

Add securityContext to skupper-router deployment #2327

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
fgiorgetti wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add securityContext to skupper-router deployment #2327

fgiorgetti wants to merge 3 commits into from
+46 −10

Conversation

@fgiorgetti
Copy link
Member

@fgiorgetti fgiorgetti commented Nov 25, 2025

Fixes #2326

@fgiorgetti fgiorgetti requested a review from hash-d November 25, 2025 17:02
@fgiorgetti
Copy link
Member Author

fgiorgetti commented Nov 26, 2025

One point to discuss here.
Would it be better if we add a new env var + flag to the Controller, so that we can define whether
or not to use SCC / PSA at runtime, instead of using a static logic?

c-kruse
c-kruse reviewed Dec 2, 2025
View reviewed changes
Copy link
Contributor

@c-kruse c-kruse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that the SecurityContexts set up on the containers are pretty unobjectionable. I suppose we could gate them, but I can't think of a situation where any of these settings would not be desirable.

internal/kube/site/resources/apply.go Outdated
}
}

// addPodSecurityContext Only added if server version is >=1.24
Copy link
Contributor

@c-kruse c-kruse Dec 2, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am curious where we came up with this version: Looking back in api docs history I didn't see much evidence that this wouldn't work prior to 1.24 - near as I can tell it would work as far back as 1.19 (when seccomp went GA.)

Copy link
Member Author

@fgiorgetti fgiorgetti Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I noticed that as well. I left is as is, because that is the version defined in V1.
Anyway, I believe we will end up removing the seccompProfile element from the PR,
so this whole function can go away.

internal/kube/site/resources/skupper-router-deployment.yaml Outdated
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
Copy link
Contributor

@c-kruse c-kruse Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suspect seccompProfile type "RuntimeDefault" is going to be suitable for most use cases, but hard coding it would likely end up being a deal breaker in some environments. We definitely need a way to either omit a seccompProfile (and defer the setting to an external controller or mutating admissions webhook) or a way to configure this (enviornment variable/flag/site setting.)

Copy link
Member Author

@fgiorgetti fgiorgetti Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with you. The seccompProfile should be left out of this.

@fgiorgetti
Copy link
Member Author

fgiorgetti commented Dec 3, 2025

@nluaces @c-kruse @hash-d Do you guys see any issue with keeping just the following entries:

top level securityContext (seccompProfile left out)

  • deployment.spec.template.spec.securityContext.runAsNonRoot (true)

all containers

  • deployment.spec.template.spec.containers[*].securityContext.allowPrivilegeEscalation (false)
  • deployment.spec.template.spec.containers[*].securityContext.capabilities (drop all)
  • deployment.spec.template.spec.containers[*].securityContext.runAsNonRoot (true)

all initContainers

  • deployment.spec.template.spec.initContainers[*].securityContext.allowPrivilegeEscalation (false)
  • deployment.spec.template.spec.initContainers[*].securityContext.capabilities (drop all)
  • deployment.spec.template.spec.initContainers[*].securityContext.runAsNonRoot (true)

I believe that even these agreed upon fields, could be added by default as part of the upcoming 2.2 release,
but we could introduce a flag/env-var to disable this behavior, if someone needs that for any reason.

If you guys agree, I will make these changes and request a new round of review.

Thank you.

@c-kruse
Copy link
Contributor

c-kruse commented Dec 3, 2025

@fgiorgetti that approach sounds good to me!

@fgiorgetti
Copy link
Member Author

fgiorgetti commented Dec 29, 2025

@c-kruse @nluaces @hash-d I have just added a flag to disable the new default behavior of adding a securityContext with the default values we discussed here. Please give it a try and let me know your thoughts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@c-kruse c-kruse c-kruse approved these changes

@hash-d hash-d Awaiting requested review from hash-d

@nluaces nluaces Awaiting requested review from nluaces nluaces is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Containers missing securityContext

3 participants

@fgiorgetti @c-kruse @nluaces