[SURE-8270] Gitjob controller security context #2359

manno · 2024-04-23T11:29:11Z

The fleet-controller and fleet-agent dissallow privilege escalation and use a read only filesystem. Gitjob controller should do the same.

These must be disabled in debug mode, so we can attach debuggers and profilers.

thardeck · 2024-05-16T12:43:28Z

QA Template

Add additional security restrictions to the Gitjob deployment without any noticeable impact on the usage.

Verify that polling of git repos work fine (Optional verify different git setups, like e.g. ssh, ssh with known hosts)
Run a fleet upgrade from a previous Fleet version with a working git repo and make sure that polling works fine afterwards
Verify that the upgraded gitjob configuration has the additional security permissions

manno added this to the v2.9.0 milestone Apr 23, 2024

manno added the kind/chore label Apr 23, 2024

manno changed the title ~~Gitjob controller security context~~ [SURE-8270] Gitjob controller security context Apr 23, 2024

manno added the JIRA Must shout label Apr 23, 2024

thardeck self-assigned this Apr 24, 2024

thardeck mentioned this issue Apr 26, 2024

Add readOnlyRootFilesystem to deployment_gitjob.yaml #2379

Merged

manno added the status/waiting-for-fleet-rc-and-chart label May 16, 2024

sbulage self-assigned this May 17, 2024

sbulage removed the status/waiting-for-fleet-rc-and-chart label May 28, 2024