Skip to content

Add securityContext to skupper-router deployment#2327

Merged
fgiorgetti merged 3 commits intoskupperproject:mainfrom
fgiorgetti:fg-scc-issue
Feb 2, 2026
Merged

Add securityContext to skupper-router deployment#2327
fgiorgetti merged 3 commits intoskupperproject:mainfrom
fgiorgetti:fg-scc-issue

Conversation

@fgiorgetti
Copy link
Copy Markdown
Member

@fgiorgetti fgiorgetti commented Nov 25, 2025

Fixes #2326

@fgiorgetti fgiorgetti requested a review from hash-d November 25, 2025 17:02
@fgiorgetti
Copy link
Copy Markdown
Member Author

fgiorgetti commented Nov 26, 2025

One point to discuss here.
Would it be better if we add a new env var + flag to the Controller, so that we can define whether
or not to use SCC / PSA at runtime, instead of using a static logic?

c-kruse
c-kruse reviewed Dec 2, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@c-kruse c-kruse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that the SecurityContexts set up on the containers are pretty unobjectionable. I suppose we could gate them, but I can't think of a situation where any of these settings would not be desirable.

Comment thread internal/kube/site/resources/apply.go Outdated
}
}

// addPodSecurityContext Only added if server version is >=1.24
Copy link
Copy Markdown
Contributor

@c-kruse c-kruse Dec 2, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am curious where we came up with this version: Looking back in api docs history I didn't see much evidence that this wouldn't work prior to 1.24 - near as I can tell it would work as far back as 1.19 (when seccomp went GA.)

Copy link
Copy Markdown
Member Author

@fgiorgetti fgiorgetti Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I noticed that as well. I left is as is, because that is the version defined in V1.
Anyway, I believe we will end up removing the seccompProfile element from the PR,
so this whole function can go away.

Comment thread internal/kube/site/resources/skupper-router-deployment.yaml Outdated
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
Copy link
Copy Markdown
Contributor

@c-kruse c-kruse Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suspect seccompProfile type "RuntimeDefault" is going to be suitable for most use cases, but hard coding it would likely end up being a deal breaker in some environments. We definitely need a way to either omit a seccompProfile (and defer the setting to an external controller or mutating admissions webhook) or a way to configure this (enviornment variable/flag/site setting.)

Copy link
Copy Markdown
Member Author

@fgiorgetti fgiorgetti Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with you. The seccompProfile should be left out of this.

@fgiorgetti
Copy link
Copy Markdown
Member Author

fgiorgetti commented Dec 3, 2025

@nluaces @c-kruse @hash-d Do you guys see any issue with keeping just the following entries:

top level securityContext (seccompProfile left out)

  • deployment.spec.template.spec.securityContext.runAsNonRoot (true)

all containers

  • deployment.spec.template.spec.containers[*].securityContext.allowPrivilegeEscalation (false)
  • deployment.spec.template.spec.containers[*].securityContext.capabilities (drop all)
  • deployment.spec.template.spec.containers[*].securityContext.runAsNonRoot (true)

all initContainers

  • deployment.spec.template.spec.initContainers[*].securityContext.allowPrivilegeEscalation (false)
  • deployment.spec.template.spec.initContainers[*].securityContext.capabilities (drop all)
  • deployment.spec.template.spec.initContainers[*].securityContext.runAsNonRoot (true)

I believe that even these agreed upon fields, could be added by default as part of the upcoming 2.2 release,
but we could introduce a flag/env-var to disable this behavior, if someone needs that for any reason.

If you guys agree, I will make these changes and request a new round of review.

Thank you.

@c-kruse
Copy link
Copy Markdown
Contributor

c-kruse commented Dec 3, 2025

@fgiorgetti that approach sounds good to me!

@fgiorgetti
Copy link
Copy Markdown
Member Author

fgiorgetti commented Dec 29, 2025

@c-kruse @nluaces @hash-d I have just added a flag to disable the new default behavior of adding a securityContext with the default values we discussed here. Please give it a try and let me know your thoughts.

@fgiorgetti fgiorgetti merged commit fc06489 into skupperproject:main Feb 2, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nluaces nluaces nluaces approved these changes

@c-kruse c-kruse c-kruse approved these changes

@hash-d hash-d Awaiting requested review from hash-d

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Containers missing securityContext

3 participants

@fgiorgetti @c-kruse @nluaces