Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve securityContext for operator Deployment #604

Merged
merged 1 commit into from
Jul 24, 2024
Merged

Improve securityContext for operator Deployment #604

merged 1 commit into from
Jul 24, 2024

Conversation

mjura
Copy link
Contributor

@mjura mjura commented Jul 23, 2024

  1. Restrict container from acquiring additional privileges (securityContext.allowPrivilegeEscalation)
  2. Mount container's root filesystem as read only (securityContext.readOnlyRootFilesystem)
  3. Ensure that container won't be started as privileged container (securityContext.privileged)

Issue: #591

What this PR does / why we need it:

Which issue(s) this PR fixes
Issue #

Special notes for your reviewer:

Checklist:

  • squashed commits into logical changes
  • includes documentation
  • adds unit tests
  • adds or updates e2e tests
  • backport needed

@mjura mjura requested a review from a team as a code owner July 23, 2024 06:58
@mjura mjura mentioned this pull request Jul 23, 2024
Closed
Danil-Grigorev
Danil-Grigorev previously approved these changes Jul 23, 2024
View reviewed changes
yiannistri
yiannistri requested changes Jul 23, 2024
View reviewed changes
Copy link
Contributor

@yiannistri yiannistri left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe these settings should be under .spec.template.spec.containers[n].securityContext rather than spec.template.spec.securityContext. See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod and https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

@mjura
Improve securityContext for operator Deployment
b3e6966 
1. Restrict container from acquiring additional privileges (`securityContext.allowPrivilegeEscalation`)
2. Mount container's root filesystem as read only (`securityContext.readOnlyRootFilesystem`)
3. Ensure that container won't be started as privileged container (`securityContext.privileged`)

Issue: rancher#591
@mjura
Copy link
Contributor Author

mjura commented Jul 24, 2024

I believe these settings should be under .spec.template.spec.containers[n].securityContext rather than spec.template.spec.securityContext. See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod and https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

you are right, I discovered it after testing. thank you for pointing this

@yiannistri yiannistri self-requested a review July 24, 2024 09:29
yiannistri
yiannistri approved these changes Jul 24, 2024
View reviewed changes
Copy link
Contributor

@yiannistri yiannistri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛡️ 👌

@mjura mjura merged commit d9366af into rancher:main Jul 24, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yiannistri yiannistri yiannistri approved these changes

@Danil-Grigorev Danil-Grigorev Danil-Grigorev left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mjura @yiannistri @Danil-Grigorev