Skip to content

Initial phase 1-3 of a per-node Kata config delivery#78

Merged
ebourgeois merged 1 commit into
mainfrom
kata-config
Jun 10, 2026
Merged

Initial phase 1-3 of a per-node Kata config delivery#78
ebourgeois merged 1 commit into
mainfrom
kata-config

Conversation

@ebourgeois

Copy link
Copy Markdown
Collaborator

Initial phase 1-3 of a per-node Kata config delivery

Comment thread deploy/deployment/rbac/clusterrole.yaml Fixed
@ebourgeois ebourgeois force-pushed the kata-config branch 2 times, most recently from aea9def to 002502c Compare June 10, 2026 01:40
Comment thread deploy/kata-config-agent/daemonset.yaml Dismissed
securityContext:
# Root is required to write the drop-in under /etc/k0s on the host.
# nosemgrep: yaml.kubernetes.security.run-as-non-root-unsafe-value.run-as-non-root-unsafe-value
runAsNonRoot: false
Comment thread deploy/kata-config-agent/daemonset.yaml Dismissed
Comment on lines +65 to +108
- name: agent
# Pin a released tag — never :latest in production (KSV-0013).
image: ghcr.io/finos/5-spot-kata-config-agent:v0.1.0
imagePullPolicy: IfNotPresent
env:
- name: RUST_LOG
value: "info"
- name: RUST_LOG_FORMAT
value: "json"
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: HOST_ROOT
value: "/host"
securityContext:
# privileged is required for setns into host mount/PID namespaces
# (the `nsenter` k0s-service restart, ADR 0003). With privileged,
# allowPrivilegeEscalation must be true; the root filesystem stays
# read-only and seccomp stays RuntimeDefault to keep the escalation
# as narrow as the feature allows.
privileged: true
runAsUser: 0
runAsGroup: 0
# nosemgrep: yaml.kubernetes.security.run-as-non-root-unsafe-value.run-as-non-root-unsafe-value
runAsNonRoot: false
allowPrivilegeEscalation: true
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
resources:
limits:
cpu: 50m
memory: 64Mi
requests:
cpu: 10m
memory: 16Mi
volumeMounts:
# Host root mounted writable so the agent can write the configurable
# destPath (default /etc/k0s/container.d/). The dest path is
# operator-configurable per SM, so a narrower subPath cannot be
# pinned in a shared DaemonSet spec (ADR 0003).
- name: host-root
mountPath: /host
Comment thread deploy/kata-config-agent/rbac.yaml Fixed
Comment on lines +65 to +108
- name: agent
# Pin a released tag — never :latest in production (KSV-0013).
image: ghcr.io/finos/5-spot-kata-config-agent:v0.1.0
imagePullPolicy: IfNotPresent
env:
- name: RUST_LOG
value: "info"
- name: RUST_LOG_FORMAT
value: "json"
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: HOST_ROOT
value: "/host"
securityContext:
# privileged is required for setns into host mount/PID namespaces
# (the `nsenter` k0s-service restart, ADR 0003). With privileged,
# allowPrivilegeEscalation must be true; the root filesystem stays
# read-only and seccomp stays RuntimeDefault to keep the escalation
# as narrow as the feature allows.
privileged: true
runAsUser: 0
runAsGroup: 0
# nosemgrep: yaml.kubernetes.security.run-as-non-root-unsafe-value.run-as-non-root-unsafe-value
runAsNonRoot: false
allowPrivilegeEscalation: true
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
resources:
limits:
cpu: 50m
memory: 64Mi
requests:
cpu: 10m
memory: 16Mi
volumeMounts:
# Host root mounted writable so the agent can write the configurable
# destPath (default /etc/k0s/container.d/). The dest path is
# operator-configurable per SM, so a narrower subPath cannot be
# pinned in a shared DaemonSet spec (ADR 0003).
- name: host-root
mountPath: /host
Comment on lines +65 to +108
- name: agent
# Pin a released tag — never :latest in production (KSV-0013).
image: ghcr.io/finos/5-spot-kata-config-agent:v0.1.0
imagePullPolicy: IfNotPresent
env:
- name: RUST_LOG
value: "info"
- name: RUST_LOG_FORMAT
value: "json"
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: HOST_ROOT
value: "/host"
securityContext:
# privileged is required for setns into host mount/PID namespaces
# (the `nsenter` k0s-service restart, ADR 0003). With privileged,
# allowPrivilegeEscalation must be true; the root filesystem stays
# read-only and seccomp stays RuntimeDefault to keep the escalation
# as narrow as the feature allows.
privileged: true
runAsUser: 0
runAsGroup: 0
# nosemgrep: yaml.kubernetes.security.run-as-non-root-unsafe-value.run-as-non-root-unsafe-value
runAsNonRoot: false
allowPrivilegeEscalation: true
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
resources:
limits:
cpu: 50m
memory: 64Mi
requests:
cpu: 10m
memory: 16Mi
volumeMounts:
# Host root mounted writable so the agent can write the configurable
# destPath (default /etc/k0s/container.d/). The dest path is
# operator-configurable per SM, so a narrower subPath cannot be
# pinned in a shared DaemonSet spec (ADR 0003).
- name: host-root
mountPath: /host
Comment thread deploy/kata-config-agent/daemonset.yaml Fixed
Closes: #77

Signed-off-by: Erick Bourgeois <erick@jeb.ca>
@ebourgeois ebourgeois merged commit 50f14d6 into main Jun 10, 2026
32 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants