Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: mount-volumes-for-ephemeral-containers policy #1225

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: mount-volumes-for-ephemeral-containers policy #1225

wants to merge 2 commits into from
+170 −0

Conversation

Darkhood148
Copy link

Related Issue(s)

#1088

Description

This PR adds a sample policy to mount volumes and set default security context for ephemeral containers; along with chainsaw tests for the same

Checklist

  • I have read the policy contribution guidelines.
  • I have added test manifests and resources covering both positive and negative tests that prove this policy works as intended.
  • I have added the artifacthub-pkg.yml file and have verified it is complete and correct.

@Darkhood148
Copy link
Author

Darkhood148 commented Jan 23, 2025
edited
Loading

Hi @realshuting,

The description of the chainsaw tests is as follows:

  • Step 1: Create the policy
  • Step 2: Create a pod with the label ephemeral-debug: true and verify that the volume is added to the pod
  • Step 3: Verify the security context of a newly created ephemeral container by ensuring that it is a read-only file system
  • Step 4: Check if volumeMounts are being correctly added

@Darkhood148
Adds chainsaw tests
693d741 
Signed-off-by: Darkhood148 <[email protected]>
realshuting
realshuting reviewed Jan 30, 2025
View reviewed changes
other/mount-volumes-for-ephemeral-containers/mount-volumes-for-ephemeral-containers.yaml
Comment on lines +48 to +49
+(securityContext):
+(readOnlyRootFilesystem): true
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see this is checked in chainsaw-test.yaml, can we add it?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I verified it by attempting to create a file and checking if it was actually being created or not (as it is read-only file system). Should I check it directly instead?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you point me to it?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Line 36-38 in chainsaw-test.yaml

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@realshuting 😅

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@realshuting realshuting realshuting left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Darkhood148 @realshuting