Comments (6)
kfox1111
commented on August 22, 2024
1
If we only support one override, then just using helm's --namespace flag makes more sense to me.
But, I can see a need to install the privileged stuff in one namespace, and the unprivileged stuff in another, to properly utilize:
https://kubernetes.io/docs/concepts/security/pod-security-admission/
I'll want to deploy it in this way if possible.
from helm-charts.
marcofranssen
commented on August 22, 2024
Why do we need a values file for this? This is simply done on the cli via --namespace, no need to put this in values files.
{{ .Release.Namespace }}
adheres to that commandline flag you give when doing helm install or helm upgrade, this looks like an anti-pattern to me. I have never seen a chart that defines the namespace in values.yaml.
from helm-charts.
faisal-memon
commented on August 22, 2024
I see it in a lot of helm charts. Some examples:
- https://artifacthub.io/packages/helm/grafana/grafana
- https://artifacthub.io/packages/helm/kestra/kestra
- https://artifacthub.io/packages/helm/prometheus-community/kube-prometheus-stack
- https://artifacthub.io/packages/helm/cert-manager/cert-manager
- https://artifacthub.io/packages/helm/traefik/traefik
Its not a requirement, just a suggestion from what ive seen in other charts.
from helm-charts.
marcofranssen
commented on August 22, 2024
Now really wondering why those charts are doing that 🤔 .
In general I always install charts like this.
helm upgrade -n spire-system --install --create-namespace --values my-values.yaml spire ./charts/spire
helm upgrade -n other-namespace --install --create-namespace --values my-values.yaml spire ./charts/spire
helm upgrade -n spire --install --create-namespace --values my-values.yaml spire ./charts/spireThis already gives me the chance to pick a namespace.
🤔
from helm-charts.
marcofranssen
commented on August 22, 2024
@kfox1111 could you elaborate on that thought a bit with some example how you would utilize that? E.g. what goes in your privileged namespace and what in the unprivileged. This sounds very interesting.
We might even code defaults to split these things accross namespaces by default if we add pod-securty-admission to this chart.
from helm-charts.
kfox1111
commented on August 22, 2024
Its a replacement of the PSP that some of us used to build multitenant clusters. In pod security admission, you can label your namespaces with one of the pod security standard values:
https://kubernetes.io/docs/concepts/security/pod-security-standards/
The two main ones we may want to deal with is:
- Privileged - https://kubernetes.io/docs/concepts/security/pod-security-standards/#privileged
- Restricted - https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
They basically restrict what features of the pods can be used and/or linux capabilities. Like, a restricted pod can not run as uid0 nor mount hostpaths, along with a bunch of other stuff.
Ideally you'd have the most hardened standard possible on a pod for extra security.
The stuff that really does need hostPath would need to be privileged. (csi driver, agent daemonset) but stuff like the spire server probably doesn't, and could benefit from the extra hardening.
from helm-charts.
Related Issues (20)
- cert manager upstream has inconsistent casing
- pre-delete failure
- spire-server + tests selector HOT 1
- oidc is invalid when jwtIssuer includes protocol
- ClusterSPIFFEID CR is included when CRD is found in the chart HOT 10
- Poorly named property in upstream-spire-agent / spire-agent HOT 3
- Create a second kind of tiered deployment that has the upstream agent co-deployed in the spire-server Pod
- Cannot control deployment of sub charts in error avoiding patterns
- FAQ
- Uninstalling CSI Driver orphans all pods using the csidriver HOT 10
- ACTION REQUIRED: Changes to pulling Chainguard Images HOT 7
- No use of example.org HOT 1
- Setup and document the weekly meeting recordings. HOT 1
- spire-oidc does not start if federatesWith contains a down federated endpoint HOT 7
- New image has to be added to update-tags script
- High Availability HOT 11
- Upgrade tests
- We should review the migration of the PR for the Getting Started Documentation into the helm-charts project. HOT 1
- New documentation tool does not combine the docs from dependency charts in README.md
- 1.8 -> 1.9 changes
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from helm-charts.