Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade security context of controller container to be compatible with "Restricted" official pod security standard #191

Open
gabor-one opened this issue Apr 10, 2024 · 1 comment
Open

Upgrade security context of controller container to be compatible with "Restricted" official pod security standard #191

gabor-one opened this issue Apr 10, 2024 · 1 comment

Comments

@gabor-one
Copy link

gabor-one commented Apr 10, 2024
edited
Loading

Currently, only the "runAsUser" option is set in the controller's container securityContext.

securityContext:
            runAsUser: 101

Official Azure policies expect "allowPrivilegeEscalation" to be declared false.
Kubernetes clusters should not allow container privilege escalation Azure policy
Gatekeeper template: k8sazurev3noprivilegeescalation

I propose to upgrade the securityContext to match the official "restricted" pod security standard.
Official pod security standards documentation.

Proposed securityContext:

spec:
  template:
    spec:
      containers:
        - name: controller
           securityContext:
             runAsUser: 101
             allowPrivilegeEscalation: false
             seccompProfile:
               type: RuntimeDefault
             capabilities:
               drop:
                 - ALL
@OliverMKing
Copy link
Collaborator

Working on #192 to address this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gabor-one @OliverMKing