Description
Description
We would like to ensure that proper Pod Security Standards are ensured by the Karpenter controllers that are installed. Today, Karpenter adheres to these Pod Security Standards, but we are currently not ensuring that bar by doing any check in functional or E2E testing.
Currently, we are publishing a warning based on this label that is added to the namespace here: https://github.com/aws/karpenter-provider-aws/blob/main/.github/actions/e2e/install-karpenter/action.yaml#L42. We used to enforce this pod security standard in the namespace rather than just warning on it which was changed here: 8f500c2. We had to make this change because there are some components in the kube-system namespace which are not adhering to the pod security standard (not Karpenter) that we didn't want to do custom patches to control.
There are a couple options to enforce this pod security standard:
- Run custom patches on the addons that are added to the E2E test clusters so that they all adhere to the pod security standards of the namespace and we can change the pod security standard back to
pod-security.kubernetes.io/enforce=restricted - Check the output of the apply operation that happens when Karpenter is installed. Since warnings should be printed by the apiserver if there are violations of the pod security standard, we can just check if the output is empty to ensure that we are adhering to the standard.
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Activity