Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature request] lockdown the securityContext #21

Open
jennerm opened this issue Sep 25, 2024 · 0 comments
Open

[Feature request] lockdown the securityContext #21

jennerm opened this issue Sep 25, 2024 · 0 comments

Comments

@jennerm
Copy link

jennerm commented Sep 25, 2024

The security context is not configurable and currently only adds extra controls that the pod/container needs, it does not remove any of the controls that are not needed. Presumably the pod does not need them all, so it would be better it the securityContext was explicitly locked down as far as possible for the controls recommended in the PSS restricted profile?

For instance, could it default to this?

spec:
[...]
  securityContext:
    runAsGroup: 65534
    runAsNonRoot: true
    runAsUser: 65534
    seccompProfile:
      type: RuntimeDefault
[...]
  container:
    name: eks-pod-identity-agent
    securityContext:
      allowPrivilegeEscalation: false
      privileged: false
      readOnlyRootFilesystem: true
      capabilities:
        add:
        - CAP_NET_BIND_SERVICE
[...]
  initContainers:
    name: eks-pod-identity-agent-init
    securityContext:
      allowPrivilegeEscalation: false
      privileged: true
      readOnlyRootFilesystem: true
      capabilities:
        drop:
          - ALL
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jennerm