Zarf overwrites namespace labels required when deploying to env with restricted pod security standard

[Ansible-man]

Environment

Device and OS: RHEL 9
App version: 0.38.3
Kubernetes distro being used: rke2
Other:

Steps to reproduce

1. Create zarf namespace with labels that allow it to run in an environment that enforces the restricted pod security standard
2. Deploy Zarf with zarf init command (we use a custom package that only has the zarf agent based on iron bank images)

Expected result

1. Zarf leaves the existing NS labels alone

Actual Result

Zarf removes the labels and fails to deploy due to non compliance

Visual Proof (screenshots, videos, text, etc)

Severity/Priority

medium

Additional Context

Add any other context or screenshots about the technical debt here.
Instead of requiring users to apply exceptions Zarf should natively comply with the Kubernetes restricted pod security standard. Especially when building it for a government use case.
Please see
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted

[AustinAbro321]

Hey @Ansible-man just to make sure I understand you are talking specifically about the zarf namespace correct? You are pre-creating the zarf namespace with extra labels on it before running zarf init ?

[Ansible-man]

Yes @AustinAbro321 . Please see
https://kubernetes.io/docs/concepts/security/pod-security-standards/
https://kubernetes.io/docs/concepts/security/pod-security-admission/
https://kubernetes.io/docs/concepts/security/pod-security-admission/#exemptions

Because PSA is enforcing the restricted Pod Security Level and Zarf does not apply security context to its deployment like

spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:

• name: restricted-container
  image: nginx:1.19.8
  securityContext:
  allowPrivilegeEscalation: false
  capabilities:
  drop:
  - ALL
  runAsUser: 1000
  runAsGroup: 3000
  readOnlyRootFilesystem: true

We have to apply labels to the zarf namespace so the PSA will allow it to run

apiVersion: v1
kind: Namespace
metadata:
name: zarf
labels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/enforce-version: v1.25
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/audit-version: v1.25
pod-security.kubernetes.io/warn: privileged
pod-security.kubernetes.io/warn-version: v1.25

[Ansible-man]

I would be more than happy to do testing and put in a PR to apply the proper security context on the zarf-agent if its something you guys want. The root issue is Zarf not complying with the restricted pod security standard.

[AustinAbro321]

@Ansible-man A PR to apply the proper security context on the Zarf agent would be great. I'm relatively certain we can adhere to the restricted level without breaking any functionality. Tests should catch it if so

[Ansible-man]

@AustinAbro321 Sounds good, I will look into doing this in the next few days. Thanks

[Miaoxiang-philips]

Hey @AustinAbro321 @Ansible-man , have any updates in there ? I have same problem too.

[Ansible-man]

I have it on my calendar to do this next week.

[Ansible-man]

@AustinAbro321 I have the code ready to commit, I can't seem to make a branch or access the slack channel. I read the contributing docs and I see where it says to create a draft PR but I am not able to make the branch for the draft PR.

[AustinAbro321]

@Ansible-man Only members of the org can make a new branch in this repo, you'll have to create a fork

[Ansible-man]

Tested the above in my rke2 cluster at home with the restricted PSS and all seemed to go well. We only deploy the zarf agent without any other components so I cannot speak to their compliance.

[Miaoxiang-philips]

Tested the above in my rke2 cluster at home with the restricted PSS and all seemed to go well. We only deploy the zarf agent without any other components so I cannot speak to their compliance.

Hi @Ansible-man ,
Thanks, In fact, in my use case, the other components also need to be PSS compliant, which I've tried to do myself and tested successfully, so I'll create another PR to commit the code