New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Restrict security context of pods by default #799
Labels
enhancement
New feature or request
Comments
brusdev
added a commit
to brusdev/activemq-artemis-operator
that referenced
this issue
Feb 19, 2024
The operator pod and the broker pods can run with a safer and restricted security context without issues. Restricting the security context of the pods by default allows to deploy a cluster of brokers also in Kubernetes namespaces with the restricted policy.
brusdev
added a commit
to brusdev/activemq-artemis-operator
that referenced
this issue
Feb 19, 2024
The operator pod and the broker pods can run with a safer and restricted security context without issues. Restricting the security context of the pods by default allows to deploy a cluster of brokers also in Kubernetes namespaces with the restricted policy.
brusdev
added a commit
to brusdev/activemq-artemis-operator
that referenced
this issue
Feb 19, 2024
The operator pod and the broker pods can run with a safer and restricted security context without issues. Restricting the security context of the pods by default allows to deploy a cluster of brokers also in Kubernetes namespaces with the restricted policy.
brusdev
added a commit
to brusdev/activemq-artemis-operator
that referenced
this issue
Feb 20, 2024
The operator pod and the broker pods can run with a safer and restricted security context without issues. Restricting the security context of the pods by default allows to deploy a cluster of brokers also in Kubernetes namespaces with the restricted policy.
This was referenced Feb 20, 2024
brusdev
added a commit
to brusdev/activemq-artemis-operator
that referenced
this issue
Feb 21, 2024
The operator pod and the broker pods can run with a safer and restricted security context without issues. Restricting the security context of the pods by default allows to deploy a cluster of brokers also in Kubernetes namespaces with the restricted policy.
brusdev
added a commit
that referenced
this issue
Feb 21, 2024
The operator pod and the broker pods can run with a safer and restricted security context without issues. Restricting the security context of the pods by default allows to deploy a cluster of brokers also in Kubernetes namespaces with the restricted policy.
The security context of pods will be restricted by default in 1.1.0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the feature
The operator pod and the broker pods can run with a safer and restricted security context without issues. Restricting the security context of the pods by default allows to deploy a cluster of brokers also in Kubernetes namespaces with the restricted policy.
The minimal changes to run the pods in Kubernetes namespaces with the restricted policy:
spec.containers[*].securityContext.allowPrivilegeEscalation: false
spec.initContainers[*].securityContext.allowPrivilegeEscalation: false
spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation: false
spec.securityContext.runAsNonRoot: true
spec.containers[*].securityContext.runAsNonRoot: true
spec.initContainers[*].securityContext.runAsNonRoot: true
spec.ephemeralContainers[*].securityContext.runAsNonRoot: true
spec.securityContext.seccompProfile.type: RuntimeDefault
spec.containers[*].securityContext.seccompProfile.type: RuntimeDefault
spec.initContainers[*].securityContext.seccompProfile.type: RuntimeDefault
spec.ephemeralContainers[*].securityContext.seccompProfile.type: RuntimeDefault
spec.containers[*].securityContext.capabilities.drop: ["ALL"]
spec.initContainers[*].securityContext.capabilities.drop: ["ALL"]
spec.ephemeralContainers[*].securityContext.capabilities.drop: ["ALL"]
Tip
Vote this issue reacting with 👍 or 👎
The text was updated successfully, but these errors were encountered: