Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 4cfcc0b0b25fba463225feae64232d40e02b570c
commit4cfcc0b0b25fba463225feae64232d40e02b570c[log] [tgz]
authorLeopold Schabel <leo@monogon.tech>Wed Jul 24 13:23:26 2024 +0000
committerLeopold Schabel <leo@monogon.tech>Thu Jul 25 12:02:52 2024 +0000
tree69a7d9ce2d531c763d482e340afe5ceced40c068
parentc5e0dbd3437d5c739d42d7724a619b126eabdbf5 [diff]
metropolis/node/kubernetes: allow privileged pods

There are valid use cases for privileged pods in low-assurance clusters.
In particular, "kubectl debug node/... --profile=sysadmin" is very
useful for debugging and requires privileged pods.

In a production cluster, we'd want to restrict privileged pods
and other dangerous capabilities (which are already allowed)
using pod security or more sophisticated admission controllers,
including enforcing future cluster integrity policy levels.

Change-Id: I8f6470f636cdd13b7c980f04f08f95aaff833b20
Reviewed-on: https://review.monogon.dev/c/monogon/+/3246
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>
Tested-by: Jenkins CI
1 file changed
tree: 69a7d9ce2d531c763d482e340afe5ceced40c068
  1. .github/
  2. build/
  3. cloud/
  4. go/
  5. intellij/
  6. metropolis/
  7. net/
  8. osbase/
  9. third_party/
  10. tools/
  11. version/
  12. .bazelignore
  13. .bazelproject
  14. .bazelrc
  15. .bazelrc.ci
  16. .bazelrc.sandboxroot
  17. .bazelversion
  18. .git-ignore-revs
  19. .gitignore
  20. BUILD.bazel
  21. CODING_STANDARDS.md
  22. go.mod
  23. go.sum
  24. LICENSE
  25. MODULE.bazel
  26. MODULE.bazel.lock
  27. README.md
  28. SETUP.md
  29. shell.nix
  30. WORKSPACE
README.md

Monogon Monorepo

This is the main repository containing the source code for the Monogon Platform.

This is pre-release software - take a look, and check back later! In the meantime, join us on Matrix (#monogon-os-community:matrix.org) or Discord.

Environment

Our build environment is self-contained and requires only minimal host dependencies:

  • A Linux machine or VM.
  • Bazelisk >= v1.15.0 (or a working Nix environment).
  • A reasonably recent kernel with user namespaces enabled.
  • Working KVM with access to /dev/kvm (if you want to run tests).

Our docs assume that Bazelisk is available as bazel on your PATH.

Refer to SETUP.md for detailed instructions.

Monogon OS

The source code lives in //metropolis (Metropolis is the codename of Monogon OS).

See the //metropolis/README.md for a developer quick start guide, or see the Monogon OS Handbook for user documentation.