evan.jarrett.net / hsm-secrets-operator
A Kubernetes operator that bridges Hardware Security Module (HSM) data storage with Kubernetes Secrets, providing true secret portability th
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

try and remove sys_admin cap

Evan Jarrett 5f008df8 ca15ede6

+10 -11
+1 -1
Makefile
··· 3 3 # To re-generate a bundle for another specific version without changing the standard setup, you can: 4 4 # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2) 5 5 # - use environment variables to overwrite this value (e.g export VERSION=0.0.2) 6 - VERSION ?= 0.6.5 6 + VERSION ?= 0.6.6 7 7 8 8 # CHANNELS define the bundle channels used in the bundle. 9 9 # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")
+2 -2
helm/hsm-secrets-operator/Chart.yaml
··· 2 2 name: hsm-secrets-operator 3 3 description: A Kubernetes operator that bridges Pico HSM binary data storage with Kubernetes Secrets 4 4 type: application 5 - version: 0.6.5 6 - appVersion: v0.6.5 5 + version: 0.6.6 6 + appVersion: v0.6.6 7 7 icon: https://raw.githubusercontent.com/cncf/artwork/master/projects/kubernetes/icon/color/kubernetes-icon-color.svg 8 8 home: https://github.com/evanjarrett/hsm-secrets-operator 9 9 sources:
+1 -1
internal/agent/manager.go
··· 451 451 var availableDevices []hsmv1alpha1.DiscoveredDevice 452 452 // Check all pools that are in Ready phase 453 453 for _, pool := range hsmPoolList.Items { 454 - m.logger.Info("Checking HSMPool", "name", pool.Name, "namespace", pool.Namespace, "phase", pool.Status.Phase, "aggregatedDeviceCount", len(pool.Status.AggregatedDevices)) 454 + m.logger.Info("Checking HSMPool", "name", pool.Name, "phase", pool.Status.Phase, "aggregatedDeviceCount", len(pool.Status.AggregatedDevices)) 455 455 456 456 if pool.Status.Phase != hsmv1alpha1.HSMPoolPhaseReady { 457 457 m.logger.Info("Skipping HSMPool - not ready", "name", pool.Name, "phase", pool.Status.Phase)
+6 -6
internal/controller/hsmpool_agent_controller.go
··· 670 670 SecurityContext: &corev1.SecurityContext{ 671 671 Privileged: truePtr, 672 672 AllowPrivilegeEscalation: truePtr, 673 - Capabilities: &corev1.Capabilities{ 674 - Drop: []corev1.Capability{}, 675 - Add: []corev1.Capability{ 676 - "SYS_ADMIN", 677 - }, 678 - }, 673 + // Capabilities: &corev1.Capabilities{ 674 + // Drop: []corev1.Capability{}, 675 + // Add: []corev1.Capability{ 676 + // "SYS_ADMIN", 677 + // }, 678 + // }, 679 679 ReadOnlyRootFilesystem: falsePtr, 680 680 RunAsNonRoot: falsePtr, 681 681 RunAsUser: &rootUserId,
-1
internal/modes/discovery/discovery.go
··· 94 94 setupLog.Info("Starting HSM device discovery agent", 95 95 "node", discoveryConfig.NodeName, 96 96 "pod", discoveryConfig.PodName, 97 - "namespace", discoveryConfig.PodNamespace, 98 97 "sync-interval", syncInterval, 99 98 "detection-method", detectionMethod) 100 99