diff --git a/devel/addon/bind/manifests/deployment.yaml b/devel/addon/bind/manifests/deployment.yaml index 44d6138c2..429fb9fe7 100644 --- a/devel/addon/bind/manifests/deployment.yaml +++ b/devel/addon/bind/manifests/deployment.yaml @@ -18,6 +18,10 @@ spec: - name: bind image: sameersbn/bind:bazel imagePullPolicy: Never + # TODO(wallrj): I couldn't figure out how to run Bind as a non-root user, using this Docker image. + # I think bind expects to start as root and then chown to a non-root BIND user. + # securityContext: + # runAsNonRoot: true command: - /bin/bash - -c diff --git a/devel/addon/kyverno/install.sh b/devel/addon/kyverno/install.sh index 423ae1860..16e2b2157 100755 --- a/devel/addon/kyverno/install.sh +++ b/devel/addon/kyverno/install.sh @@ -32,5 +32,5 @@ check_tool kustomize helm repo add kyverno https://kyverno.github.io/kyverno/ helm repo update helm upgrade --install --wait kyverno kyverno/kyverno --namespace kyverno --create-namespace -# Install all Pod security policies -kustomize build https://github.com/kyverno/policies/pod-security | kubectl apply -f - +# Install policies using local kustomization.yaml +kustomize build ${SCRIPT_ROOT} | kubectl apply -f - diff --git a/devel/addon/kyverno/kustomization.yaml b/devel/addon/kyverno/kustomization.yaml new file mode 100644 index 000000000..70a4ea85f --- /dev/null +++ b/devel/addon/kyverno/kustomization.yaml @@ -0,0 +1,24 @@ +bases: + - https://github.com/kyverno/policies/pod-security + +# Patch the pod security policy to exclude our E2E Bind deployment which is too +# difficult to run as non-root +# TODO(wallrj): This doesn't work because kustomize doesn't properly to +# strategigMergePatch on custom resources. +# See https://github.com/kubernetes-sigs/kustomize/issues/1510 +# And https://github.com/kubernetes-sigs/kustomize/issues/2339 +# patches: +# - target: +# kind: ClusterPolicy +# name: require-run-as-non-root +# patch: |- +# apiVersion: kyverno.io/v1 +# kind: ClusterPolicy +# metadata: +# name: require-run-as-non-root +# spec: +# rules: +# - name: check-containers +# exclude: +# resources: +# namespaces: ["bind"] diff --git a/devel/setup-e2e-deps.sh b/devel/setup-e2e-deps.sh index fe39af5ae..9095c8bf9 100755 --- a/devel/setup-e2e-deps.sh +++ b/devel/setup-e2e-deps.sh @@ -32,7 +32,7 @@ source "${SCRIPT_ROOT}/lib/lib.sh" setup_tools echo "Installing kyverno into cluster..." -"${SCRIPT_ROOT}/addon/kyverno/install.sh" +"${SCRIPT_ROOT}/addon/kyverno/install.sh" echo "Installing cert-manager into the cluster..." "${SCRIPT_ROOT}/addon/certmanager/install.sh" @@ -41,20 +41,19 @@ check_bazel bazel build --platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 //devel/addon/... echo "Installing sample-webhook into the cluster..." -"${SCRIPT_ROOT}/addon/samplewebhook/install.sh" +"${SCRIPT_ROOT}/addon/samplewebhook/install.sh" echo "Installing bind into the cluster..." -"${SCRIPT_ROOT}/addon/bind/install.sh" +"${SCRIPT_ROOT}/addon/bind/install.sh" echo "Installing pebble into the cluster..." -"${SCRIPT_ROOT}/addon/pebble/install.sh" +"${SCRIPT_ROOT}/addon/pebble/install.sh" echo "Installing ingress-nginx into the cluster..." -"${SCRIPT_ROOT}/addon/ingressnginx/install.sh" +"${SCRIPT_ROOT}/addon/ingressnginx/install.sh" echo "Loading vault into the cluster..." -"${SCRIPT_ROOT}/addon/vault/install.sh" +"${SCRIPT_ROOT}/addon/vault/install.sh" echo "Installing sample-external-issuer into the cluster..." -"${SCRIPT_ROOT}/addon/sample-external-issuer/install.sh" - +"${SCRIPT_ROOT}/addon/sample-external-issuer/install.sh"