James/security enhancements CEL policy update#83
Conversation
|
Overall this looks good to me. My only asks are around runtime validation rather than the Helm config itself
|
| - name: cache-volume | ||
| {{- if and (eq .Values.cloud "azure") .Values.azure.enableAzureContainerStorageDriver }} | ||
| {{- if .Values.brainstore.storage.hostPath }} | ||
| hostPath: |
There was a problem hiding this comment.
I spent some time comparing this against the current AKS/GKE behavior. AKS uses Azure Container Storage via ephemeral PVCs, and GKE Autopilot uses pod-local emptyDir with ephemeral-storage requests and local-SSD placement. In both cases, Brainstore’s local cache is expressed as k8s-managed pod-local storage.
The new brainstore.storage.hostPath path is different: if the EKS module sets it, brainstore depends on a raw node filesystem path prepared outside the chart. I think the EKS path should match the AKS/GKE model if technically feasible, likely via EKS Auto Mode with a brainstore-specific NodePool/NodeClass, Brainstore emptyDir, and explicit ephemeral-storage requests.
I think we should remove the hostPath path if EKS Auto Mode is viable. The EKS direction should match AKS/GKE: Brainstore emptyDir, explicit ephemeral-storage requests, and a brainstore-specific EKS Auto Mode NodePool/NodeClass for NVMe-backed capacity.
There was a problem hiding this comment.
Same comment for readers/writers
2 participants
Adding in the previous security enhancements to fix CEL based policy breaches, previously based on 1.1.32 to the latest helm updates. The security enhancements were:
An example/google-autopilot-cel/ has been created to help the known customers currently needing these CEL enhancements in their production environment.