-
Notifications
You must be signed in to change notification settings - Fork 457
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trivy recommended hardening #329
base: master
Are you sure you want to change the base?
Conversation
@jcpunk |
BTW, could you help resolve the conflict? Thank you. |
ba8b940
to
6059831
Compare
I've added links to the trivy tooling and resolved the conflicts. Just to verify, can this container run with any of the following security settings? runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
runAsUser: 65534
runAsGroup: 65534
readOnlyRootFilesystem: true Their existence in the If the pod requires run as root with some capabilities, that should probably be noted somewhere... |
Not sure if the hardening can introduce side effect? |
I'd prefer the defaults to have the most hardening that is safe to apply. I'm not super familiar with what the code actually needs... In prod I'm running with the sandbox enabled (what is actually in the patch) and that seems to work. I'd love to have these too: runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
runAsUser: 65534
runAsGroup: 65534
readOnlyRootFilesystem: true but I don't have a place to test them at this point. Do you know if any of these are workable? |
This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days. |
I'd still like to see some version of this. |
Let's make it in v0.0.29. |
This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days. |
I'd still like to see some version of this. |
securityContext: | ||
seccompProfile: | ||
type: RuntimeDefault |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm wondering if we need to enable it by default. Or, users can enable it if they need it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would aim for by default and have folks loosen the security restrictions if they can't run with them.
Signed-off-by: Pat Riehecky <[email protected]>
conflicts resolved |
This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days. |
I'd still like to see some version of this. |
This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days. |
These hardening bits were recommended by the trivy scanner.
https://github.com/aquasecurity/trivy
https://github.com/aquasecurity/trivy-operator