Skip to content

Security hardening guide for scheduler configuration #45080

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 5, 2025
Merged

Security hardening guide for scheduler configuration #45080

merged 1 commit into from
Jun 5, 2025

Conversation

@AnshumanTripathi
Copy link
Contributor

@AnshumanTripathi AnshumanTripathi commented Feb 10, 2024
edited
Loading

@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 10, 2024
@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Feb 10, 2024
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

  • ✅ login: AnshumanTripathi / name: Anshuman Tripathi (b0d8a8c)

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Feb 10, 2024

Welcome @AnshumanTripathi!

It looks like this is your first PR to kubernetes/website 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/website has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Feb 10, 2024
@k8s-ci-robot k8s-ci-robot added the language/en Issues or PRs related to English language label Feb 10, 2024
@k8s-ci-robot k8s-ci-robot requested a review from tengqm February 10, 2024 08:07
@k8s-ci-robot k8s-ci-robot added the sig/docs Categorizes an issue or PR as relevant to SIG Docs. label Feb 10, 2024
@netlify
Copy link

netlify bot commented Feb 10, 2024
edited
Loading

Pull request preview available for checking

Built without sensitive environment variables

Name Link
🔨 Latest commit b0d8a8c
🔍 Latest deploy log https://app.netlify.com/projects/kubernetes-io-main-staging/deploys/683b8316a957710008f5458d
😎 Deploy Preview https://deploy-preview-45080--kubernetes-io-main-staging.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Feb 10, 2024
@sftim
Copy link
Contributor

sftim commented Feb 10, 2024

/sig security

@k8s-ci-robot k8s-ci-robot added the sig/security Categorizes an issue or PR as relevant to SIG Security. label Feb 10, 2024
@AnshumanTripathi AnshumanTripathi marked this pull request as ready for review February 13, 2024 06:34
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 13, 2024
bijou-code
bijou-code reviewed Feb 13, 2024
View reviewed changes
bijou-code
bijou-code reviewed Feb 13, 2024
View reviewed changes
@reylejano
Copy link
Member

reylejano commented Feb 13, 2024

@kubernetes/sig-security-pr-reviews please take a look

sftim
sftim reviewed Feb 13, 2024
View reviewed changes
raesene
raesene reviewed Feb 14, 2024
View reviewed changes
@AnshumanTripathi AnshumanTripathi force-pushed the anshuman/scheduler_hardening_guide branch 3 times, most recently from 0728e98 to 2cae0ed Compare February 18, 2024 21:05
@AnshumanTripathi AnshumanTripathi force-pushed the anshuman/scheduler_hardening_guide branch from 5958b41 to 90fb6d6 Compare February 18, 2024 21:10
sftim
sftim reviewed Mar 14, 2024
View reviewed changes
Copy link
Contributor

@sftim sftim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some more feedback.

@AnshumanTripathi AnshumanTripathi force-pushed the anshuman/scheduler_hardening_guide branch from beca647 to 2aa72f3 Compare March 15, 2024 05:57
@AnshumanTripathi AnshumanTripathi force-pushed the anshuman/scheduler_hardening_guide branch from 19972a5 to ab53e96 Compare March 24, 2024 20:13
@k8s-ci-robot k8s-ci-robot added area/localization General issues or PRs related to localization language/ja Issues or PRs related to Japanese language size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Mar 4, 2025
@AnshumanTripathi AnshumanTripathi force-pushed the anshuman/scheduler_hardening_guide branch from 37e8ff3 to 767eb20 Compare March 7, 2025 16:12
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Mar 7, 2025
@AnshumanTripathi AnshumanTripathi force-pushed the anshuman/scheduler_hardening_guide branch from 767eb20 to c1a7095 Compare March 8, 2025 03:29
@t-inu
Copy link
Member

t-inu commented Mar 11, 2025

/remove-area localization
/remove-language ja

@k8s-ci-robot k8s-ci-robot removed area/localization General issues or PRs related to localization language/ja Issues or PRs related to Japanese language labels Mar 11, 2025
@AnshumanTripathi AnshumanTripathi force-pushed the anshuman/scheduler_hardening_guide branch from c1a7095 to 54dcea7 Compare May 26, 2025 02:34
@mtardy
Copy link
Member

mtardy commented May 26, 2025

Please wrap these long lines as you did for some other paragraphs.

As mentioned, could you wrap all your lines so that's it's easier to make suggestions and edits?

@AnshumanTripathi AnshumanTripathi force-pushed the anshuman/scheduler_hardening_guide branch 2 times, most recently from 5d7b524 to 3c15880 Compare May 27, 2025 03:29
@AnshumanTripathi
Copy link
Contributor Author

AnshumanTripathi commented May 27, 2025

Please wrap these long lines as you did for some other paragraphs.

As mentioned, could you wrap all your lines so that's it's easier to make suggestions and edits?

Wrapped long lines. LMK more is needed.

@AnshumanTripathi
Security hardening guide for scheduler configuration
b0d8a8c 
Signed-off-by: Anshuman Tripathi <anshuman.tripathi305@gmail.com>

[WIP] Security hardening guide for scheduler configurations

Signed-off-by: Anshuman Tripathi <anshuman.tripathi305@gmail.com>

Updates after passing through hemmingway.app

Signed-off-by: Anshuman Tripathi <anshuman.tripathi305@gmail.com>

Update scheduling configurations

Signed-off-by: Anshuman Tripathi <anshuman.tripathi305@gmail.com>

Apply suggestions from code review

Co-authored-by: Tim Bannister <tim@scalefactory.com>
Co-authored-by: Daniel Register <jedion9@yahoo.com>

Updates based on PR feedback

Signed-off-by: Anshuman Tripathi <anshuman.tripathi305@gmail.com>

Update bind-address definition

Signed-off-by: Anshuman Tripathi <anshuman.tripathi305@gmail.com>

Update phrasing of permit-address-sharing

Signed-off-by: Anshuman Tripathi <anshuman.tripathi305@gmail.com>

Add -- to args

Signed-off-by: Anshuman Tripathi <anshuman.tripathi305@gmail.com>

Sentence case in table title

Signed-off-by: Anshuman Tripathi <anshuman.tripathi305@gmail.com>

Reword and correct grammer based on feedback

Signed-off-by: Anshuman Tripathi <anshuman.tripathi305@gmail.com>

Remove verbatim argument description

Signed-off-by: Anshuman Tripathi <anshuman.tripathi305@gmail.com>

More updates

Signed-off-by: Anshuman Tripathi <anshuman.tripathi305@gmail.com>

Update custom scheduler heading and description

Signed-off-by: Anshuman Tripathi <anshuman.tripathi305@gmail.com>

Remove dashes on args

Signed-off-by: Anshuman Tripathi <anshuman.tripathi305@gmail.com>

Apply suggestions from code review

Co-authored-by: Tim Bannister <tim@scalefactory.com>
Signed-off-by: Anshuman Tripathi <anshuman.tripathi305@gmail.com>

Update table title

Signed-off-by: Anshuman Tripathi <anshuman.tripathi305@gmail.com>

Update based on feedback

Signed-off-by: Anshuman Tripathi <anshuman.tripathi305@gmail.com>

node selector

Signed-off-by: Anshuman Tripathi <anshuman.tripathi305@gmail.com>

Feedback

Signed-off-by: Anshuman Tripathi <anshuman.tripathi305@gmail.com>

Update authentication and TLS configuration

Signed-off-by: Anshuman Tripathi <anshuman.tripathi305@gmail.com>

profiling

Signed-off-by: Anshuman Tripathi <anshuman.tripathi305@gmail.com>

Replace tables with bullets

Signed-off-by: Anshuman Tripathi <anshuman.tripathi305@gmail.com>

Fix custom scheduler directive and link

Signed-off-by: Anshuman Tripathi <anshuman.tripathi305@gmail.com>

style

Signed-off-by: Anshuman Tripathi <anshuman.tripathi305@gmail.com>

Update based on feedback

Signed-off-by: Anshuman Tripathi <anshuman.tripathi305@gmail.com>

fix: custom scheduler profile

Signed-off-by: Anshuman Tripathi <anshuman.tripathi305@gmail.com>
@AnshumanTripathi AnshumanTripathi force-pushed the anshuman/scheduler_hardening_guide branch from 3c15880 to b0d8a8c Compare May 31, 2025 22:30
@raesene
Copy link
Contributor

raesene commented Jun 5, 2025

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 5, 2025
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Jun 5, 2025

LGTM label has been added.

Git tree hash: 7450a0d530136c46aa8f2457c3b8c6e514ed1ffe

@lmktfy
Copy link
Member

lmktfy commented Jun 5, 2025

/approve

Happy to see the content reorganized where needed, along with existing content.

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Jun 5, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lmktfy

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 5, 2025
@natalisucks
Copy link
Contributor

natalisucks commented Jun 5, 2025

hey folks – i'm seeing a hold on this PR but it's not clear why its the case. are we ready to unhold and merge? we have several reviews from Security and Docs – thanks for clarifying! @tabbysable @raesene @lmktfy

@lmktfy
Copy link
Member

lmktfy commented Jun 5, 2025

If we really need to revert, we can.
I think the concern was from resolved comments - #45080 (comment)

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 5, 2025
@k8s-ci-robot k8s-ci-robot merged commit 8992fe7 into kubernetes:main Jun 5, 2025
6 checks passed
@AnshumanTripathi AnshumanTripathi deleted the anshuman/scheduler_hardening_guide branch June 15, 2025 07:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tengqm tengqm tengqm left review comments

@shannonxtreme shannonxtreme Awaiting requested review from shannonxtreme

@dipesh-rawat dipesh-rawat Awaiting requested review from dipesh-rawat

+6 more reviewers

@raesene raesene raesene left review comments

@Huang-Wei Huang-Wei Huang-Wei left review comments

@bijou-code bijou-code bijou-code left review comments

@sftim sftim sftim left review comments

@network-charles network-charles network-charles left review comments

@tabbysable tabbysable tabbysable left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@raesene raesene

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. language/en Issues or PRs related to English language lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/docs Categorizes an issue or PR as relevant to SIG Docs. sig/security Categorizes an issue or PR as relevant to SIG Security. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.