Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve securityContext for operator Deployment #604

Merged
merged 1 commit into from
Jul 24, 2024

Conversation

mjura
Copy link
Contributor

@mjura mjura commented Jul 23, 2024

  1. Restrict container from acquiring additional privileges (securityContext.allowPrivilegeEscalation)
  2. Mount container's root filesystem as read only (securityContext.readOnlyRootFilesystem)
  3. Ensure that container won't be started as privileged container (securityContext.privileged)

Issue: #591

What this PR does / why we need it:

Which issue(s) this PR fixes
Issue #

Special notes for your reviewer:

Checklist:

  • squashed commits into logical changes
  • includes documentation
  • adds unit tests
  • adds or updates e2e tests
  • backport needed

@mjura mjura requested a review from a team as a code owner July 23, 2024 06:58
@mjura mjura mentioned this pull request Jul 23, 2024
Danil-Grigorev
Danil-Grigorev previously approved these changes Jul 23, 2024
Copy link
Contributor

@yiannistri yiannistri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe these settings should be under .spec.template.spec.containers[n].securityContext rather than spec.template.spec.securityContext. See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod and https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

1. Restrict container from acquiring additional privileges (`securityContext.allowPrivilegeEscalation`)
2. Mount container's root filesystem as read only (`securityContext.readOnlyRootFilesystem`)
3. Ensure that container won't be started as privileged container (`securityContext.privileged`)

Issue: rancher#591
@mjura
Copy link
Contributor Author

mjura commented Jul 24, 2024

I believe these settings should be under .spec.template.spec.containers[n].securityContext rather than spec.template.spec.securityContext. See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod and https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

you are right, I discovered it after testing. thank you for pointing this

@yiannistri yiannistri self-requested a review July 24, 2024 09:29
Copy link
Contributor

@yiannistri yiannistri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛡️ 👌

@mjura mjura merged commit d9366af into rancher:main Jul 24, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants