Giters

aerokube / moon

Browser automation solution for Kubernetes and Openshift supporting Selenium, Playwright, Puppeteer and Cypress

Home Page:http://aerokube.com/moon/latest

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Ability to configure container security context

vania-pooh opened this issue · comments

commented

Could be needed in some restricted environments.

commented

Since EKS 1.25, PodSecurePolicy support was removed and PodSecurityAdmission support was added instead. In case of using PodSecurityAdmission we have three levels of restrictions:

  • restricted - the most secure
  • baseline
  • privileged

It makes sense to run browser pods in restricted mode, but for now it is impossible:

➜ kubectl label --dry-run=server --overwrite ns moon-browsers pod-security.kubernetes.io/enforce=restricted
Warning: existing pods in namespace "moon-browsers" violate the new PodSecurity enforce level "restricted:latest"
Warning: microsoftedge-100-0-6c5dbf83-e0b8-43eb-bf60-f1615f34f569: allowPrivilegeEscalation != false, unrestricted capabilities, runAsNonRoot != true, seccompProfile
namespace/skondrashov labeled

2023/10/07 19:32:41 moon-6579f8df58-jnx6l: moon-browsers: microsoftedge-100-0-ea392d85-7e46-404e-9211-5f3f315baa9d: waiting resources: pods "microsoftedge-100-0-ea392d85-7e46-404e-9211-5f3f315baa9d" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "ca-certs", "x-server-init", "browser", "defender", "x-server", "vnc-server" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "ca-certs", "x-server-init", "browser", "defender", "x-server", "vnc-server" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "ca-certs", "x-server-init", "browser", "defender", "x-server", "vnc-server" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "ca-certs", "x-server-init", "browser", "defender", "x-server", "vnc-server" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

That means, we have to configure strict securityContext and seccompProfile. Please, add either ability to configure these parameters in browser set or add a single parameter like useRestrictedMode: true.