Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add constraints to pod spec #80

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Add constraints to pod spec #80

wants to merge 4 commits into from

Conversation

martinkennelly
Copy link
Member

Small changes to pod spec to improve security
See commits.

I wanted to group allowPrivilegeEscalation & readOnlyRootFilesystem at the "pod level" securityContext (ln 23) but it will not allow me.

@martinkennelly
Define user to be non-root and group
3f95d97 
Signed-off-by: Martin Kennelly <[email protected]>
@martinkennelly
Set init fs to read-only and block priv esculation
d67b77a 
Signed-off-by: Martin Kennelly <[email protected]>
@martinkennelly
Define cpu/memory limit for init container
d14e977 
Containers without memory limits are more likely
to be terminated when the node runs out of memory.

Containers without cpu limits can exceed
the capacity of the node, and affect availability
/performance of the host and other containers.

Signed-off-by: Martin Kennelly <[email protected]>
@martinkennelly
Drop init container privileges
7d53183 
Signed-off-by: Kennelly, Martin <[email protected]>
zshi-redhat
zshi-redhat reviewed Apr 8, 2021
View reviewed changes
deployments/server.yaml
securityContext:
runAsUser: 10000
runAsGroup: 10000
runAsNonRoot: true
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does runAsNonRoot require setting nonRoot user in Dockerfile?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@zshi-redhat Unfortunately, it seems that it does for NRI. I tried to remove both of the runAsUser and runAsGroup and I got the following error:

Error: container has runAsNonRoot and image will run as root

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@martinkennelly IIUC, we need to update Dockerfile to use non-root user, right?
If yes, would you mind updating the Dockerfile in this PR?

Copy link
Member Author

@martinkennelly martinkennelly Apr 12, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@zshi-redhat Good idea. I tried it but it failed with k8 validation:

container has runAsNonRoot and image has non-numeric user (%s), cannot verify user is non-root

See the runAsNonRoot validate here: https://github.com/kubernetes/kubernetes/blob/5648200571889140ad246feb82c8f80a5946f167/pkg/kubelet/kuberuntime/security_context.go#L91

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zshi-redhat zshi-redhat zshi-redhat left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@martinkennelly @zshi-redhat