eclipse-che
Allow to configure securityContext for che-gateway container
Is your enhancement related to a problem? Please describe
Restricted Pod Security Standards (see more https://kubernetes.io/docs/concepts/security/pod-security-standards/) can not be applied to the user devworspace pod due to lack of che-gateway container configuration.
Example of error:
Error creating DevWorkspace deployment:
Detected unrecoverable deployment condition:
FailedCreate pods "workspace007423daa3654c20-7d55dc8c5-lvfrx" is forbidden:
violates PodSecurity "restricted:latest":
allowPrivilegeEscalation != false (container "che-gateway" must set securityContext.allowPrivilegeEscalation=false),
unrestricted capabilities (container "che-gateway" must set securityContext.capabilities.drop=["ALL"])
Important: CheCluster has a proper configuration which applied to the all containers except che-gateway:
spec:
devEnvironments:
security:
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
podSecurityContext:
seccompProfile:
type: RuntimeDefault
I see we have gatewayContainer under devEnvironments to configure che-gateway. But this configuration has nothing related to the securityContext
Describe the solution you'd like
che-gateway container should respect securityContext configuration as well
spec:
devEnvironments:
security:
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
podSecurityContext:
seccompProfile:
type: RuntimeDefault
Describe alternatives you've considered
No response
Additional context
No response
For some reason I had assumed this was resolved in https://github.com/eclipse-che/che-operator/commit/b9d8ce34b541a30d2d5f7329210bccd580bc0561 but that does not seem to be the case.
It seems like https://github.com/eclipse-che/che-operator/commit/1bd44bdb28d20716fb7523d83f249945334d9641 needs to be extended to allow setting the securityContext for the che-gateway container.
If we are going to work on this feature, it seems like it'd make sense for either @mkuznyetsov or me to work on it since our PR's are closely related to this work.
This could also be considered a DWO bug; since the gateway container is added in a separate step (i.e. it comes from the devworkspace routing object and is created by the Che Operator) it might be getting missed in DWO's adding of security context.
I think it might make more sense to fix it in DWO if possible.
More context: DWO uses the configured container SecurityContext when generating containers for a flattened devfile but this SecurityContext is not applied to containers coming from the DevWorkspaceRouting.
@karatkep no updates thus far, unfortunately. This issue needs to be prioritized accordingly, and I am currently working on some other tasks, however I will bring it up to the team this coming week for discussion.
Dear @ibuziuk , @AObuchow , @amisevsk ,
I understand that you are busy with other tasks and have your own priority list. That's fair and reasonable... but I would like to clarify something for myself. Given that this issue has been prevalent for more than six months and it still hasn't been addressed, does this mean that the problem will not be resolved within this year of 2024? Simply put, if that's the case, then I can approach it differently and add a hook that will solve it.