New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
create a non-root user for cilium-related containers #23217
Labels
kind/community-report
This was reported by a user in the Cilium community, eg via Slack.
kind/feature
This introduces new functionality.
pinned
These issues are not marked stale by our issue bot.
sig/agent
Cilium agent related.
stale
The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale.
Comments
michi-covalent
added
kind/bug
This is a bug in the Cilium logic.
needs/triage
This issue requires triaging to establish severity and next steps.
kind/community-report
This was reported by a user in the Cilium community, eg via Slack.
labels
Jan 20, 2023
aanm
added
kind/feature
This introduces new functionality.
sig/agent
Cilium agent related.
and removed
kind/bug
This is a bug in the Cilium logic.
needs/triage
This issue requires triaging to establish severity and next steps.
labels
Jan 26, 2023
This issue has been automatically marked as stale because it has not |
github-actions
bot
added
the
stale
The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale.
label
Mar 28, 2023
michi-covalent
added
the
pinned
These issues are not marked stale by our issue bot.
label
Mar 28, 2023
Add more item for cilium/proxy image as we recently have this PR merged, thanks to @mhofstetter |
sayboras
added a commit
to cilium/proxy
that referenced
this issue
Feb 21, 2024
This is to improve the security posture of cilium/proxy running in the deamonset mode. Distroless images come in different variants and the one being used here is the most basic one that only contains the following: - ca-certificates - A /etc/passwd entry for a root, nonroot and nobody users - A /tmp directory - tzdata Relates: cilium/cilium#23217
sayboras
added a commit
to cilium/proxy
that referenced
this issue
Feb 21, 2024
This is to improve the security posture of cilium/proxy running in the deamonset mode. Distroless images come in different variants and the one being used here is the most basic one that only contains the following: - ca-certificates - A /etc/passwd entry for a root, nonroot and nobody users - A /tmp directory - tzdata Relates: cilium/cilium#23217 Signed-off-by: Tam Mach <tam.mach@cilium.io>
sayboras
added a commit
to cilium/proxy
that referenced
this issue
Feb 21, 2024
This is to improve the security posture of cilium/proxy running in the deamonset mode. Relates: cilium/cilium#23217
sayboras
added a commit
that referenced
this issue
Feb 21, 2024
Relates: cilium/proxy#568 Relates: #23217 Signed-off-by: Tam Mach <tam.mach@cilium.io>
One related note from upstream |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
kind/community-report
This was reported by a user in the Cilium community, eg via Slack.
kind/feature
This introduces new functionality.
pinned
These issues are not marked stale by our issue bot.
sig/agent
Cilium agent related.
stale
The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale.
Is there an existing issue for this?
What happened?
investigate whether it's feasible to run cilium-related containers as a non-root user.
ref: https://www.tenable.com/audits/items/CIS_Docker_v1.3.1_L1_Docker_Linux.audit:bdcea17ac365110218526796ae3095b1
Cilium Version
N/A
Kernel Version
N/A
Kubernetes Version
N/A
Sysdump
No response
Relevant log output
No response
Anything else?
No response
Code of Conduct
The text was updated successfully, but these errors were encountered: