-
Notifications
You must be signed in to change notification settings - Fork 303
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature] Add AllowPrivilegeEscalation to container's securityContext #450
Conversation
Thanks for submitting your first pull request! You are awesome! 🤗 |
Will fix failing checks tomorrow. |
Thank you very much for the PR, @captnbp! I do this all the time to my own deployments, very highly recommended. Will happily merge this once the tests are fixed. |
@yuvipanda all checks passed ! :-) |
Thank you @captnbp! 🎉 ❤️ 🌻 !! |
PR summary
KubeSpawner can spawn pods and container's with a securityContext field set.
The notebook container can only be set with the following security features:
run_as_uid
run_as_gid
fs_gid
supplemental_gids
run_privileged
But in some restrained security context, we need to disable privilege escalation for the notebook container.
By default,
AllowPrivilegeEscalation
is kept as True. We need a way to set it toFalse
if needed.Proposed change
Add
allow_privilege_escalation
flag to be able to set it toFalse
.The target flags will be:
run_as_uid
run_as_gid
fs_gid
supplemental_gids
run_privileged
allow_privilege_escalation
Who would use this feature?
People with restrained security context, even for notebook container.