Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow to specify securityContext for vaultConfigurer container #231

Open
2 tasks done
msg-gregor opened this issue Oct 17, 2023 · 0 comments
Open
2 tasks done

Allow to specify securityContext for vaultConfigurer container #231

msg-gregor opened this issue Oct 17, 2023 · 0 comments
Labels
kind/enhancement Categorizes issue or PR as related to an improvement.

Comments

@msg-gregor
Copy link

Preflight Checklist

  • I have searched the issue tracker for an issue that matches the one I want to file, without success.
  • I agree to follow the Code of Conduct.

Problem Description

Vault operator does not allow to specify securityContext for the vaultConfigurer pod container, it only allows to specify the podSecurityContext for the whole pod

This is not sufficient in all cases. For example, we deploy in a managed rancher kubernetes cluster with strict security policies. All containers are forced to have the following security profile or they won't be scheduled:

securityContext:
  runAsNonRoot: true
  allowPrivilegeEscalation: false
  capabilities:
    drop: [ "ALL" ]
  seccompProfile:
    type: RuntimeDefault

Some but not all of them can be set by using the pods security context on a pod level, however, e.g., allowPrivilegeEscalation and capabilities can only be set on a container level

This missing feature prevents us from using bank-vaults operator, because it is impossible for us to deploy the vaultConfigurer pod

Proposed Solution

Add a vaultConfigurerContainerSpec that allows to configure/extend container spec for vaultConfigurer - similar to the already existing vaultContainerSpec - to the VaultSpec API

Alternatives Considered

No response

Additional Information

No response
@msg-gregor msg-gregor added the kind/enhancement Categorizes issue or PR as related to an improvement. label Oct 17, 2023
@ramizpolic ramizpolic mentioned this issue Oct 19, 2023
Closed
@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Dec 17, 2023
@ramizpolic ramizpolic removed the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Dec 21, 2023
@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Feb 25, 2024
@akijakya akijakya removed the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Feb 28, 2024
@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label May 5, 2024
@csatib02 csatib02 removed the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label May 5, 2024
@bank-vaults bank-vaults deleted a comment from github-actions bot May 5, 2024
@bank-vaults bank-vaults deleted a comment from github-actions bot May 5, 2024
@bank-vaults bank-vaults deleted a comment from github-actions bot May 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement Categorizes issue or PR as related to an improvement.
Projects
Project backlog
Status: 🆕 New
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ramizpolic @akijakya @csatib02 @msg-gregor