Commit 3064cb31 authored by Ash McKenzie's avatar Ash McKenzie

Merge branch 'cluster-applications-0-24-2' into 'master'

Update cluster-applications to 0.24.2

See merge request gitlab-org/gitlab!36768
parents be8396d6 a226c399
---
title: Update cluster-applications to 0.24.2
merge_request: 36768
author:
type: added
...@@ -984,21 +984,20 @@ Major upgrades might require additional setup steps, please consult ...@@ -984,21 +984,20 @@ Major upgrades might require additional setup steps, please consult
the official [upgrade guide](https://docs.cilium.io/en/stable/install/upgrade/) for more the official [upgrade guide](https://docs.cilium.io/en/stable/install/upgrade/) for more
information. information.
By default, Cilium drops all disallowed packets upon policy By default, Cilium's [audit
deployment. In mode](https://docs.cilium.io/en/v1.8/gettingstarted/policy-creation/?highlight=policy-audit#enable-policy-audit-mode)
[auditmode](https://docs.cilium.io/en/v1.8/gettingstarted/policy-creation/?highlight=policy-audit#enable-policy-audit-mode), is enabled. In audit mode, Cilium doesn't drop disallowed packets. You
however, Cilium doesn't drop disallowed packets. You can use can use `policy-verdict` log to observe policy-related decisions. You
`policy-verdict` log to observe policy-related decisions. You can can disable audit mode by adding the following to
enable audit mode by adding the following to
`.gitlab/managed-apps/cilium/values.yaml`: `.gitlab/managed-apps/cilium/values.yaml`:
```yaml ```yaml
config: config:
policyAuditMode: true policyAuditMode: false
agent: agent:
monitor: monitor:
eventTypes: ["drop", "policy-verdict"] eventTypes: ["drop"]
``` ```
The Cilium monitor log for traffic is logged out by the The Cilium monitor log for traffic is logged out by the
...@@ -1453,6 +1452,45 @@ podAnnotations: ...@@ -1453,6 +1452,45 @@ podAnnotations:
The only information to be changed here is the profile name which is `profile-one` in this example. Refer to the [AppArmor tutorial](https://kubernetes.io/docs/tutorials/clusters/apparmor/#securing-a-pod) for more information on how AppArmor is integrated in Kubernetes. The only information to be changed here is the profile name which is `profile-one` in this example. Refer to the [AppArmor tutorial](https://kubernetes.io/docs/tutorials/clusters/apparmor/#securing-a-pod) for more information on how AppArmor is integrated in Kubernetes.
#### Using PodSecurityPolicy in your deployments
NOTE: **Note:**
To enable AppArmor annotations on a Pod Security Policy you must first
load the correspondingAppArmor profile.
[Pod Security Policies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/)are
resources at the cluster level that control security-related
properties of deployed pods. You can use such a policy to enable
loaded AppArmor profiles and apply necessary pod restrictions across a
cluster. You can deploy a new policy by adding the following
to`.gitlab/managed-apps/apparmor/values.yaml`:
```yaml
securityPolicies:
example:
defaultProfile: profile-one
allowedProfiles:
- profile-one
- profile-two
spec:
privileged: false
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- '*'
```
This example creates a single policy named `example` with the provided
specification, and enables [AppArmor
annotations](https://kubernetes.io/docs/tutorials/clusters/apparmor/#podsecuritypolicy-annotations)on
it.
NOTE: **Note:** NOTE: **Note:**
Support for installing the AppArmor managed application is provided by the GitLab Container Security group. Support for installing the AppArmor managed application is provided by the GitLab Container Security group.
If you run into unknown issues, please [open a new issue](https://gitlab.com/gitlab-org/gitlab/-/issues/new) and ping at least 2 people from the [Container Security group](https://about.gitlab.com/handbook/product/product-categories/#container-security-group). If you run into unknown issues, please [open a new issue](https://gitlab.com/gitlab-org/gitlab/-/issues/new) and ping at least 2 people from the [Container Security group](https://about.gitlab.com/handbook/product/product-categories/#container-security-group).
......
apply: apply:
stage: deploy stage: deploy
image: "registry.gitlab.com/gitlab-org/cluster-integration/cluster-applications:v0.23.0" image: "registry.gitlab.com/gitlab-org/cluster-integration/cluster-applications:v0.24.2"
environment: environment:
name: production name: production
variables: variables:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment