-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Namespace does not have PSS level assigned #40
Comments
Hey @uri-peled-unit , helm-charts/stable/connector/values.yaml Line 32 in ad95bae
Will discuss with team on wether we want to include this annotation by default. |
Thanks for your reply 🙏🏽
In my opinion, Annotations in Kubernetes, particularly for third-party
deployments like Twingate, can be beneficial at the namespace level to
maintain a level of abstraction and ensure security. This allows for a
"black box" approach for customers, enhancing security while ensuring
service excellence.
For in-house product development, the flexibility to apply annotations per
pod offers granular control tailored to specific needs. It's a balance
between encapsulating third-party solutions and empowering internal teams
with customization.
Annotations in clusters level should be used for network policies or
ingress and not for the restricted profile of PSS.
*Uri Peled*
Cloud Security Manager
*M:* +972 52-5703-822
<https://twitter.com/unit_co_>
<https://www.linkedin.com/company/unit-finance/> <https://www.unit.co/>
…On Tue, 16 Jan 2024 at 19:54 Eran Kampf ***@***.***> wrote:
Hey @uri-peled-unit <https://github.com/uri-peled-unit> ,
Thanks for the feedback!
You can add said annotations to the connector pods using
.Values.podAnnotations (see
https://github.com/Twingate/helm-charts/blob/ad95baea05a0f2d7e9c2e5e3d7d64bcfd0d8453c/stable/connector/values.yaml#L32
)
Will discuss with team on wether we want to include this annotation by
default.
Aren't these annotations better applied on namespaces or cluster level?
—
Reply to this email directly, view it on GitHub
<#40 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A5GDAHUBSLXL5MPI5KQF2HTYO25ELAVCNFSM6AAAAABB2IZ4BGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOJUGIZTCNRQGM>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
@uri-peled-unit I tried testing it and I'm not sure this annotation even works on the pod level? didnt work for me... |
Yep. This is why I raised this issue 🙏🏽
*Uri Peled*
Cloud Security Manager
*M:* +972 52-5703-822
<https://twitter.com/unit_co_>
<https://www.linkedin.com/company/unit-finance/> <https://www.unit.co/>
…On Tue, 16 Jan 2024 at 20:40 Eran Kampf ***@***.***> wrote:
@uri-peled-unit <https://github.com/uri-peled-unit> I tried testing it
and I'm not sure this annotation even works on the pod level? didnt work
for me...
But when setting it on my namespace I did get a bunch of errors to
connectors so we need to look into fixing those to make the container
compatible with "restricted" mode
—
Reply to this email directly, view it on GitHub
<#40 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A5GDAHU5ZOBBHZ3JTQU4VVDYO3CR5AVCNFSM6AAAAABB2IZ4BGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOJUGMYTGNJYGM>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Hey @uri-peled-unit, The most common source of vulnerabilities within images are the libraries and executables that an image contains. Our approach is to keep the image code footprint as small as possible to avoid the aforementioned. Because the Kubernetes runtime enforces a sandbox environment anyway, a solution where you have a I'll be happy to discuss this further. |
@uri-peled-unit we're testing a fix to our Connector docker file to run nonroot. Expecting to have this feature available in the coming connector release. Note that this is not a |
Issue Summary
I have noticed that the Helm chart is missing the necessary annotations for PodSecurityPolicy enforcement.
Problem Description
The Helm chart is missing the following annotations in the pod template:
This annotation is crucial for enforcing the PodSecurityPolicy "restricted" on the pods, and its absence may lead to security concerns.
Steps to Reproduce
Expected Behavior
I expected the Helm chart to include the necessary annotations in the pod template out of the box, specifically:
Proposed Solution
It would be beneficial if the Helm chart could be updated to include the missing annotations for proper PodSecurityPolicy enforcement.
Enforcing the
pod-security.kubernetes.io/enforce: "restricted"
annotation in Kubernetes is important for several reasons:Security Compliance: Ensures compliance with security best practices and organizational policies.
Least Privilege: Follows the principle of least privilege, limiting pod permissions to minimize security risks.
Preventing Escalation: Mitigates the risk of privilege escalation within containers.
Defense in Depth: Adds an extra layer of defense to the Kubernetes cluster.
Risk Reduction: Reduces the risk of security vulnerabilities and exploits.
Organizational Alignment: Aligns workloads with organizational security policies.
Cluster Hardening: Contributes to the overall security hardening of the Kubernetes cluster.
Auditing and Monitoring: Facilitates auditing and monitoring of security configurations.
Thank you for your attention to this matter.
The text was updated successfully, but these errors were encountered: