Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow to specify securityContext for vaultConfigurer container #231

Open
2 tasks done
msg-gregor opened this issue Oct 17, 2023 · 3 comments
Open
2 tasks done

Allow to specify securityContext for vaultConfigurer container #231

msg-gregor opened this issue Oct 17, 2023 · 3 comments
Labels
kind/enhancement Categorizes issue or PR as related to an improvement. lifecycle/keep Denotes an issue or PR that should be preserved from going stale. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@msg-gregor
Copy link

Preflight Checklist

  • I have searched the issue tracker for an issue that matches the one I want to file, without success.
  • I agree to follow the Code of Conduct.

Problem Description

Vault operator does not allow to specify securityContext for the vaultConfigurer pod container, it only allows to specify the podSecurityContext for the whole pod

This is not sufficient in all cases. For example, we deploy in a managed rancher kubernetes cluster with strict security policies. All containers are forced to have the following security profile or they won't be scheduled:

securityContext:
  runAsNonRoot: true
  allowPrivilegeEscalation: false
  capabilities:
    drop: [ "ALL" ]
  seccompProfile:
    type: RuntimeDefault

Some but not all of them can be set by using the pods security context on a pod level, however, e.g., allowPrivilegeEscalation and capabilities can only be set on a container level

This missing feature prevents us from using bank-vaults operator, because it is impossible for us to deploy the vaultConfigurer pod

Proposed Solution

Add a vaultConfigurerContainerSpec that allows to configure/extend container spec for vaultConfigurer - similar to the already existing vaultContainerSpec - to the VaultSpec API

Alternatives Considered

No response

Additional Information

No response
@msg-gregor msg-gregor added the kind/enhancement Categorizes issue or PR as related to an improvement. label Oct 17, 2023
@ramizpolic ramizpolic mentioned this issue Oct 19, 2023
Closed
@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Dec 17, 2023
@ramizpolic ramizpolic removed the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Dec 21, 2023
@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Feb 25, 2024
@akijakya akijakya removed the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Feb 28, 2024
@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label May 5, 2024
@csatib02 csatib02 removed the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label May 5, 2024
@bank-vaults bank-vaults deleted a comment from github-actions bot May 5, 2024
@bank-vaults bank-vaults deleted a comment from github-actions bot May 5, 2024
@bank-vaults bank-vaults deleted a comment from github-actions bot May 5, 2024
@ghost
Copy link

ghost commented Jun 6, 2024
edited by ghost
Loading

@ramizpolic any news on this? :) I think @msg-gregor is not the only one (we are at least 2 haha) to not be able to use bank-vaults in prod because of vaultConfigurerContainerSpec missing in a restricted environment. Would be amazing if faisable :)

@ramizpolic
Copy link
Member

@fakeNews-jpg (cool nickname btw), yes, we will focus on this in the upcoming weeks, will share more details once we start working on it

@justinwalz
Copy link

Along the same lines... feature request to also add it to the config-templating initContainer too, please.

@ramizpolic ramizpolic added the triage/accepted Indicates an issue or PR is ready to be actively worked on. label Jun 11, 2024
@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Aug 11, 2024
@bank-vaults bank-vaults deleted a comment from github-actions bot Aug 11, 2024
@csatib02 csatib02 removed the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Aug 11, 2024
@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Oct 13, 2024
@csatib02 csatib02 added lifecycle/keep Denotes an issue or PR that should be preserved from going stale. and removed lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. labels Oct 13, 2024
@bank-vaults bank-vaults deleted a comment from github-actions bot Oct 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement Categorizes issue or PR as related to an improvement. lifecycle/keep Denotes an issue or PR that should be preserved from going stale. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
Project backlog
Status: 📋 Backlog
Milestone
No milestone
Development

No branches or pull requests
5 participants
@justinwalz @ramizpolic @akijakya @csatib02 @msg-gregor