Zarf overwrites namespace labels required when deploying to env with restricted pod security standard #2932
Comments
Ansible-man
changed the title
|
Hey @Ansible-man just to make sure I understand you are talking specifically about the |
|
Yes @AustinAbro321 . Please see Because PSA is enforcing the restricted Pod Security Level and Zarf does not apply security context to its deployment like spec:
We have to apply labels to the zarf namespace so the PSA will allow it to run apiVersion: v1 |
|
I would be more than happy to do testing and put in a PR to apply the proper security context on the zarf-agent if its something you guys want. The root issue is Zarf not complying with the restricted pod security standard. |
|
@Ansible-man A PR to apply the proper security context on the Zarf agent would be great. I'm relatively certain we can adhere to the restricted level without breaking any functionality. Tests should catch it if so |
|
@AustinAbro321 Sounds good, I will look into doing this in the next few days. Thanks |
Environment
Device and OS: RHEL 9
App version: 0.38.3
Kubernetes distro being used: rke2
Other:
Steps to reproduce
Expected result
Actual Result
Zarf removes the labels and fails to deploy due to non compliance
Visual Proof (screenshots, videos, text, etc)
Severity/Priority
medium
Additional Context
Add any other context or screenshots about the technical debt here.
Instead of requiring users to apply exceptions Zarf should natively comply with the Kubernetes restricted pod security standard. Especially when building it for a government use case.
Please see
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
The text was updated successfully, but these errors were encountered: