From fb8ff22cace0ecd16017cff6d613e9ffd5cf846a Mon Sep 17 00:00:00 2001 From: biswajit-9776 Date: Fri, 12 Jul 2024 21:06:42 +0530 Subject: [PATCH] Moved the seccompProfile patches to istio/base/patches Signed-off-by: biswajit-9776 --- .../istio-install/base/kustomization.yaml | 2 ++ .../patches/seccomp-istio-ingressgateway.yaml | 16 ++++++++++++++++ .../base/patches/seccomp-istiod.yaml | 16 ++++++++++++++++ .../base/kustomization.yaml | 5 +---- .../patches/seccomp-istio-ingressgateway.yaml | 13 ------------- .../base/patches/seccomp-istiod.yaml | 13 ------------- .../istio-install/base/kustomization.yaml | 2 ++ .../patches/seccomp-istio-ingressgateway.yaml | 16 ++++++++++++++++ .../base/patches/seccomp-istiod.yaml | 16 ++++++++++++++++ .../base/kustomization.yaml | 3 --- .../patches/seccomp-istio-ingressgateway.yaml | 13 ------------- .../base/patches/seccomp-istiod.yaml | 13 ------------- 12 files changed, 69 insertions(+), 59 deletions(-) create mode 100644 common/istio-1-22/istio-install/base/patches/seccomp-istio-ingressgateway.yaml create mode 100644 common/istio-1-22/istio-install/base/patches/seccomp-istiod.yaml delete mode 100644 common/istio-1-22/kubeflow-istio-resources/base/patches/seccomp-istio-ingressgateway.yaml delete mode 100644 common/istio-1-22/kubeflow-istio-resources/base/patches/seccomp-istiod.yaml create mode 100644 common/istio-cni-1-22/istio-install/base/patches/seccomp-istio-ingressgateway.yaml create mode 100644 common/istio-cni-1-22/istio-install/base/patches/seccomp-istiod.yaml delete mode 100644 common/istio-cni-1-22/kubeflow-istio-resources/base/patches/seccomp-istio-ingressgateway.yaml delete mode 100644 common/istio-cni-1-22/kubeflow-istio-resources/base/patches/seccomp-istiod.yaml diff --git a/common/istio-1-22/istio-install/base/kustomization.yaml b/common/istio-1-22/istio-install/base/kustomization.yaml index da19a0353e..fdb6319b10 100644 --- a/common/istio-1-22/istio-install/base/kustomization.yaml +++ b/common/istio-1-22/istio-install/base/kustomization.yaml @@ -16,3 +16,5 @@ patches: - path: patches/disable-debugging.yaml - path: patches/istio-ingressgateway-remove-pdb.yaml - path: patches/istiod-remove-pdb.yaml +- path: patches/seccomp-istio-ingressgateway.yaml +- path: patches/seccomp-istiod.yaml diff --git a/common/istio-1-22/istio-install/base/patches/seccomp-istio-ingressgateway.yaml b/common/istio-1-22/istio-install/base/patches/seccomp-istio-ingressgateway.yaml new file mode 100644 index 0000000000..f8825a0263 --- /dev/null +++ b/common/istio-1-22/istio-install/base/patches/seccomp-istio-ingressgateway.yaml @@ -0,0 +1,16 @@ +# Seccomp profile must be explicitly set to one of the allowed values. Both the Unconfined profile and the absence of a profile are prohibited. +# According to https://kubernetes.io/docs/concepts/security/pod-security-standards/#:~:text=undefined/null-,Seccomp%20(v1.19%2B),-Seccomp%20profile%20must +# This is done to enable 'restricted' level security standards for the pods. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-ingressgateway + namespace: istio-system +spec: + template: + spec: + containers: + - name: istio-proxy + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/common/istio-1-22/istio-install/base/patches/seccomp-istiod.yaml b/common/istio-1-22/istio-install/base/patches/seccomp-istiod.yaml new file mode 100644 index 0000000000..3174889f85 --- /dev/null +++ b/common/istio-1-22/istio-install/base/patches/seccomp-istiod.yaml @@ -0,0 +1,16 @@ +# Seccomp profile must be explicitly set to one of the allowed values. Both the Unconfined profile and the absence of a profile are prohibited. +# According to https://kubernetes.io/docs/concepts/security/pod-security-standards/#:~:text=undefined/null-,Seccomp%20(v1.19%2B),-Seccomp%20profile%20must +# This is done to enable 'restricted' level security standards for the pods. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiod + namespace: istio-system +spec: + template: + spec: + containers: + - name: discovery + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/common/istio-1-22/kubeflow-istio-resources/base/kustomization.yaml b/common/istio-1-22/kubeflow-istio-resources/base/kustomization.yaml index aaa19873b9..68b01b8b3b 100644 --- a/common/istio-1-22/kubeflow-istio-resources/base/kustomization.yaml +++ b/common/istio-1-22/kubeflow-istio-resources/base/kustomization.yaml @@ -3,7 +3,4 @@ kind: Kustomization resources: - kf-istio-resources.yaml - cluster-roles.yaml -namespace: kubeflow -patches: -- path: patches/seccomp-istio-ingressgateway.yaml -- path: patches/seccomp-istiod.yaml \ No newline at end of file +namespace: kubeflow \ No newline at end of file diff --git a/common/istio-1-22/kubeflow-istio-resources/base/patches/seccomp-istio-ingressgateway.yaml b/common/istio-1-22/kubeflow-istio-resources/base/patches/seccomp-istio-ingressgateway.yaml deleted file mode 100644 index 517c7db06e..0000000000 --- a/common/istio-1-22/kubeflow-istio-resources/base/patches/seccomp-istio-ingressgateway.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istio-ingressgateway - namespace: istio-system -spec: - template: - spec: - containers: - - name: istio-proxy - securityContext: - seccompProfile: - type: RuntimeDefault diff --git a/common/istio-1-22/kubeflow-istio-resources/base/patches/seccomp-istiod.yaml b/common/istio-1-22/kubeflow-istio-resources/base/patches/seccomp-istiod.yaml deleted file mode 100644 index 91fb0c4a5e..0000000000 --- a/common/istio-1-22/kubeflow-istio-resources/base/patches/seccomp-istiod.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istiod - namespace: istio-system -spec: - template: - spec: - containers: - - name: discovery - securityContext: - seccompProfile: - type: RuntimeDefault \ No newline at end of file diff --git a/common/istio-cni-1-22/istio-install/base/kustomization.yaml b/common/istio-cni-1-22/istio-install/base/kustomization.yaml index 79d1fe5817..c3d6f9e06f 100644 --- a/common/istio-cni-1-22/istio-install/base/kustomization.yaml +++ b/common/istio-cni-1-22/istio-install/base/kustomization.yaml @@ -14,3 +14,5 @@ patches: - path: patches/disable-debugging.yaml - path: patches/istio-ingressgateway-remove-pdb.yaml - path: patches/istiod-remove-pdb.yaml +- path: patches/seccomp-istio-ingressgateway.yaml +- path: patches/seccomp-istiod.yaml diff --git a/common/istio-cni-1-22/istio-install/base/patches/seccomp-istio-ingressgateway.yaml b/common/istio-cni-1-22/istio-install/base/patches/seccomp-istio-ingressgateway.yaml new file mode 100644 index 0000000000..f8825a0263 --- /dev/null +++ b/common/istio-cni-1-22/istio-install/base/patches/seccomp-istio-ingressgateway.yaml @@ -0,0 +1,16 @@ +# Seccomp profile must be explicitly set to one of the allowed values. Both the Unconfined profile and the absence of a profile are prohibited. +# According to https://kubernetes.io/docs/concepts/security/pod-security-standards/#:~:text=undefined/null-,Seccomp%20(v1.19%2B),-Seccomp%20profile%20must +# This is done to enable 'restricted' level security standards for the pods. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-ingressgateway + namespace: istio-system +spec: + template: + spec: + containers: + - name: istio-proxy + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/common/istio-cni-1-22/istio-install/base/patches/seccomp-istiod.yaml b/common/istio-cni-1-22/istio-install/base/patches/seccomp-istiod.yaml new file mode 100644 index 0000000000..3174889f85 --- /dev/null +++ b/common/istio-cni-1-22/istio-install/base/patches/seccomp-istiod.yaml @@ -0,0 +1,16 @@ +# Seccomp profile must be explicitly set to one of the allowed values. Both the Unconfined profile and the absence of a profile are prohibited. +# According to https://kubernetes.io/docs/concepts/security/pod-security-standards/#:~:text=undefined/null-,Seccomp%20(v1.19%2B),-Seccomp%20profile%20must +# This is done to enable 'restricted' level security standards for the pods. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiod + namespace: istio-system +spec: + template: + spec: + containers: + - name: discovery + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/common/istio-cni-1-22/kubeflow-istio-resources/base/kustomization.yaml b/common/istio-cni-1-22/kubeflow-istio-resources/base/kustomization.yaml index aaa19873b9..75669a18a5 100644 --- a/common/istio-cni-1-22/kubeflow-istio-resources/base/kustomization.yaml +++ b/common/istio-cni-1-22/kubeflow-istio-resources/base/kustomization.yaml @@ -4,6 +4,3 @@ resources: - kf-istio-resources.yaml - cluster-roles.yaml namespace: kubeflow -patches: -- path: patches/seccomp-istio-ingressgateway.yaml -- path: patches/seccomp-istiod.yaml \ No newline at end of file diff --git a/common/istio-cni-1-22/kubeflow-istio-resources/base/patches/seccomp-istio-ingressgateway.yaml b/common/istio-cni-1-22/kubeflow-istio-resources/base/patches/seccomp-istio-ingressgateway.yaml deleted file mode 100644 index 517c7db06e..0000000000 --- a/common/istio-cni-1-22/kubeflow-istio-resources/base/patches/seccomp-istio-ingressgateway.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istio-ingressgateway - namespace: istio-system -spec: - template: - spec: - containers: - - name: istio-proxy - securityContext: - seccompProfile: - type: RuntimeDefault diff --git a/common/istio-cni-1-22/kubeflow-istio-resources/base/patches/seccomp-istiod.yaml b/common/istio-cni-1-22/kubeflow-istio-resources/base/patches/seccomp-istiod.yaml deleted file mode 100644 index 91fb0c4a5e..0000000000 --- a/common/istio-cni-1-22/kubeflow-istio-resources/base/patches/seccomp-istiod.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istiod - namespace: istio-system -spec: - template: - spec: - containers: - - name: discovery - securityContext: - seccompProfile: - type: RuntimeDefault \ No newline at end of file