New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set container securityContext by default #1798
Merged
yuvipanda
merged 3 commits into
jupyterhub:master
from
consideRatio:pr/set-container-securityContext-by-default
Oct 8, 2020
Merged
Set container securityContext by default #1798
yuvipanda
merged 3 commits into
jupyterhub:master
from
consideRatio:pr/set-container-securityContext-by-default
Oct 8, 2020
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
consideRatio
force-pushed
the
pr/set-container-securityContext-by-default
branch
6 times, most recently
from
October 5, 2020 00:48
32ac9de
to
2f6a466
Compare
yuvipanda
reviewed
Oct 5, 2020
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like! Disabling privilege escalation is my fav!
consideRatio
force-pushed
the
pr/set-container-securityContext-by-default
branch
from
October 5, 2020 15:34
4c0bacf
to
67a83d6
Compare
@consideRatio This LGTM! Happy to merge once the conflict is resolved. <3 for better security by default! |
consideRatio
force-pushed
the
pr/set-container-securityContext-by-default
branch
from
October 8, 2020 11:56
67a83d6
to
dc2f060
Compare
This can help us avoid usage of root by default which can cause clusters with PodSecurityPolicy resources to stop the Helm chart from functioning.
consideRatio
force-pushed
the
pr/set-container-securityContext-by-default
branch
from
October 8, 2020 12:09
dc2f060
to
cc6c02d
Compare
@yuvipanda merge conflicts resolved! |
Thanks, @consideRatio! |
Wieee thank you for taking the time to review this @yuvipanda ! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This can help us avoid usage of root by default which can cause clusters with PodSecurityPolicy resources to stop the Helm chart from functioning.
In practice, what I do in this PR is to create Helm chart configuration to set all Pod's containers'
securityContext
, and let this configuration default to have a securityContext like this be injected to all of our managed containers within the pods.A securityContext of a pod with a
runAsUser
directive will force the container to startup as that user instead of the default:root
. This can add another layer of security to by letting the containers we run not end up escalating privileges and ending up abusing some k8s vulnerability to do harmful stuff.Fixes #1386, but not #1408.
singleuser.containerSecurityContext ?
This PR does not add
singleuser.containerSecurityContext
, yet, because it is quite a bit more complicated at the moment. KubeSpawner expose some configuration that in the end goes into either the pod's securityContext or the container's securityContext. Here is an overview.fs_gid
fsGroup
supplemental_gids
supplementalGroups
run_as_uid
runAsUser
run_as_gid
runAsGroup
privileged
privileged
Breaking change
proxy.containerSecurityContex
has been renamed toproxy.chp.containerSecurityContex
I deem that this can be said to close #937 good enough, but only properly by setting
singleuser.cloudMetadata.blockWithIptables: false
.Closes #1491, Closes #1677