UNCLASSIFIED - NO CUI

Snippets Groups Projects

Currently supported Big Bang Version is 2.49

Attention Iron Bank Customers: On March 27, 2025, we are moving SBOM artifacts from the Anchore Scan job to the Build job to streamline the container hardening pipeline. If you currently download SBOMs from the Anchore Scan job, you can still get them from the Build job and from other sources, including IBFE and image attestations.

Merged Eric Goode requested to merge opa-add-regexp into master 3 years ago

All threads resolved!

Merge Request

No package changes. Scope is in Big Bang only.

Excluded namespaces converted to excluded resources where the exclusion could be narrowed down to namespace and pod/container name using regex.

Values added to k3d-dev-values.yaml and ci/k3d/values.yaml to accommodate load balancer pod/container exceptions.

Additional Details

For testing, all packages should be deployed and no denies should occur. Use kubectl get events -n <namespace> to check for denies.

closes #693 (closed)

closes #776 (closed)

Edited 3 years ago by Michael McLeroy

Activity

Eric Goode added 1 commit 3 years ago
added 1 commit

d9d96cb0 - Updated the documentation for the k3d developer instances

Compare with previous version
Eric Goode added statusreview label 3 years ago

added statusreview label
Micah Nagel @micah.nagel started a thread on an old version of the diff 3 years ago

Automatically resolved 3 years ago by Eric Goode
Last reply by Micah Nagel 3 years ago

Micah Nagel @micah.nagel started a thread on an old version of the diff 3 years ago

Automatically resolved 3 years ago by Eric Goode

Micah Nagel @micah.nagel started a thread on an old version of the diff 3 years ago

Automatically resolved 3 years ago by Michael McLeroy

Micah Nagel @micah.nagel started a thread on an old version of the diff 3 years ago

Automatically resolved 3 years ago by Michael McLeroy

Micah Nagel @micah.nagel started a thread on an old version of the diff 3 years ago

Automatically resolved 3 years ago by Michael McLeroy

Micah Nagel @micah.nagel started a thread on an old version of the diff 3 years ago

Resolved 3 years ago by Micah Nagel

Micah Nagel @micah.nagel started a thread on an old version of the diff 3 years ago

Automatically resolved 3 years ago by Eric Goode

Micah Nagel @micah.nagel started a thread on an old version of the diff 3 years ago

Automatically resolved 3 years ago by Michael McLeroy

Micah Nagel @micah.nagel started a thread on an old version of the diff 3 years ago

Automatically resolved 3 years ago by Michael McLeroy

Micah Nagel @micah.nagel started a thread on an old version of the diff 3 years ago

Automatically resolved 3 years ago by Michael McLeroy

Micah Nagel @micah.nagel started a thread on an old version of the diff 3 years ago

Automatically resolved 3 years ago by Michael McLeroy

Micah Nagel @micah.nagel started a thread on an old version of the diff 3 years ago

Automatically resolved 3 years ago by Michael McLeroy

Micah Nagel @micah.nagel started a thread on an old version of the diff 3 years ago

Automatically resolved 3 years ago by Michael McLeroy

Micah Nagel @micah.nagel started a thread on an old version of the diff 3 years ago

Automatically resolved 3 years ago by Michael McLeroy

Micah Nagel @micah.nagel started a thread on an old version of the diff 3 years ago

Automatically resolved 3 years ago by Michael McLeroy

Micah Nagel @micah.nagel started a thread on an old version of the diff 3 years ago

Automatically resolved 3 years ago by Michael McLeroy

Micah Nagel @micah.nagel · 3 years ago

Guest

@egoode a lot of comments but they all boil down to the same couple of things:

make sure our conditionals are on the proper packages (mostly fluentbit, these were pre-existing issues but we should clean them up while we're modifying these values)
make sure that we're using the excludedResources as intended: the goal is to restrict our exceptions down further than just the namespace. As is, most of these just add a whole namespace exception in a different way.

What I'd suggest doing to get the pieces:

remove the exceptions
deploy the offending packages
view the errors that happen (typically a describe on the deployments/daemonsets)
the errors will output something like "gatekeeper denied this-resource-name" or "gatekeeper denied this-resource-name-xhyd"
use that name as the excludedResources, sometimes we can do an exact match and sometimes we need regex due to the random strings.

Micah Nagel removed label 3 years ago

removed statusreview label

Eric Goode added 71 commits 3 years ago

added 71 commits

d9d96cb0...d494da88 - 70 commits from branch master
722f26c5 - Merging in new changes from master

Compare with previous version

Michael McLeroy added 53 commits 3 years ago

added 53 commits

722f26c5...b0512faa - 52 commits from branch master
17952abb - Merge branch 'master' into opa-add-regexp

Compare with previous version

Michael McLeroy added 1 commit 3 years ago

added 1 commit

2cccdbc0 - fix(gatekeeper): narrowed exclusions

Compare with previous version

Michael McLeroy added 1 commit 3 years ago

added 1 commit

ac191ab8 - fix(gatekeeper): node exporter missing dot

Compare with previous version

Michael McLeroy changed the description 3 years ago

changed the description

Michael McLeroy added 28 commits 3 years ago

added 28 commits

ac191ab8...66272e52 - 27 commits from branch master
ccf0cf55 - Merge branch 'master' into opa-add-regexp

Compare with previous version

Michael McLeroy added 1 commit 3 years ago

added 1 commit

27d633fc - fix(gatekeeper): fluentbit conditional updated

Compare with previous version

Michael McLeroy resolved all threads 3 years ago

resolved all threads

Michael McLeroy added 1 commit 3 years ago

added 1 commit

7859b52e - docs: updated development env

Compare with previous version

Michael McLeroy added label 3 years ago

added statusreview label

Michael McLeroy approved this merge request 3 years ago

approved this merge request

Michael McLeroy added 3 commits 3 years ago

added 3 commits

7859b52e...a8a66f3e - 2 commits from branch master
36d16708 - Merge branch 'master' into opa-add-regexp

Compare with previous version

Michael McLeroy approved this merge request 3 years ago

approved this merge request

Michael McLeroy enabled an automatic merge when the pipeline for succeeds 3 years ago

enabled an automatic merge when the pipeline for 36d16708 succeeds

Michael McLeroy merged 3 years ago

merged

Michael McLeroy mentioned in commit 3 years ago

mentioned in commit e3eb8bbf

Please register or sign in to reply

UNCLASSIFIED - NO CUI