Set container securityContext by default #1798
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
consideRatio
force-pushed
the
pr/set-container-securityContext-by-default
branch
6 times, most recently
from
32ac9de
to
2f6a466
Compare
yuvipanda
reviewed
Oct 5, 2020
consideRatio
force-pushed
the
pr/set-container-securityContext-by-default
branch
from
4c0bacf
to
67a83d6
Compare
|
@consideRatio This LGTM! Happy to merge once the conflict is resolved. <3 for better security by default! |
consideRatio
force-pushed
the
pr/set-container-securityContext-by-default
branch
from
67a83d6
to
dc2f060
Compare
This can help us avoid usage of root by default which can cause clusters with PodSecurityPolicy resources to stop the Helm chart from functioning.
consideRatio
force-pushed
the
pr/set-container-securityContext-by-default
branch
from
dc2f060
to
cc6c02d
Compare
|
@yuvipanda merge conflicts resolved! |
|
Thanks, @consideRatio! |
|
Wieee thank you for taking the time to review this @yuvipanda ! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This can help us avoid usage of root by default which can cause clusters with PodSecurityPolicy resources to stop the Helm chart from functioning.
In practice, what I do in this PR is to create Helm chart configuration to set all Pod's containers'
securityContext, and let this configuration default to have a securityContext like this be injected to all of our managed containers within the pods.A securityContext of a pod with a
runAsUserdirective will force the container to startup as that user instead of the default:root. This can add another layer of security to by letting the containers we run not end up escalating privileges and ending up abusing some k8s vulnerability to do harmful stuff.Fixes #1386, but not #1408.
singleuser.containerSecurityContext ?
This PR does not add
singleuser.containerSecurityContext, yet, because it is quite a bit more complicated at the moment. KubeSpawner expose some configuration that in the end goes into either the pod's securityContext or the container's securityContext. Here is an overview.fs_gidfsGroupsupplemental_gidssupplementalGroupsrun_as_uidrunAsUserrun_as_gidrunAsGroupprivilegedprivilegedBreaking change
proxy.containerSecurityContexhas been renamed toproxy.chp.containerSecurityContexI deem that this can be said to close #937 good enough, but only properly by setting
singleuser.cloudMetadata.blockWithIptables: false.Closes #1491, Closes #1677