-
Notifications
You must be signed in to change notification settings - Fork 170
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: container level security context #345
Conversation
fixes #297 |
Hi @llaszkie, thanks on working on this! |
Hi @yorugac , Yes - I was considering the wrapper solution - as suggested in the #297. But it could bring more challenges than benefits. In the K8S definitions those contexts are defined separately: pod here and container here, but they overlap in some attributes (sic!), like What could be done instead is to explicitly expose Container in your API. It would even more align both models (K8S and K6) and solution could be cleaner? Let me know how about that approach. |
WDYM by that? After some looking into this, yes, I agree that there's obviously a goal of exposing a more granular control over security context in Kubernetes definitions, hence two objects. It'd be nice if we could avoid over-complicating our API. I think the main problem with the current implementation is that |
I.e. here: https://github.com/grafana/k6-operator/blob/main/pkg/resources/jobs/helpers.go#L120-L147 |
I was thinking about extracting the container settings to a separate object embedded within the Pod. Probably too much overhead 😄 Thanks for the hint for the init containers - absolutely right. Fixed. |
@llaszkie, apologies for the delay. Thanks for the update; the changes seem to be fine 👍 But could you please rebase the branch against |
fb5b553
to
84b75b3
Compare
Good morning! @yorugac: rebased. I suppose we are good to go now :-) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@llaszkie, I have to ask for 2 more things though both should be pretty quick:
- please see my comment about Helm chart (I accidentally posted it as a comment instead of including into review)
- it'd be nice to add a sample of
TestRun
definition with a new option intoconfig/samples
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the updates, @llaszkie!
Hi!
The feature differentiate securityContext on the pod and container level. It makes the 'k6-operator` capable to operate on K8S >= 1.25 when PSS (Pod Security Standards) the built-in Pod Security Admission controller is in place and level is set to Restricted.
Sample usage: