Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: Please set pod Security Context on all Pods #3

Closed
AceHack opened this issue Mar 31, 2020 · 7 comments
Closed

Security: Please set pod Security Context on all Pods #3

AceHack opened this issue Mar 31, 2020 · 7 comments
Labels
lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.

Comments

@AceHack
Copy link
Contributor

AceHack commented Mar 31, 2020

Many companies have a security requirement in place that all pods must not run as root and set the run as user. Please set this (Or allow it to be set) on all pods. This would mean either adding it yourself or adding it to any CRDs that end up creating pods so the user can set it. Note this is at the pod level, not the container level. I will be creating a separate feature request for the container security content.

https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

See the pod security context example below for what is required to be set.

apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    runAsGroup: 3000
    fsGroup: 2000

Related Feature Request: knative/eventing#2881
This was referenced Apr 7, 2020
Closed
Closed
Closed
Closed
Closed
@evankanderson
Copy link
Member

Context:

  • It turns out that Twistlock scans and flags pods and containers running without these settings even if the underlying container has these set in the Docker manifest.
  • ko will create docker images as non-root users with a minimal filesystem that the user doesn't have write access to (except perhaps /var/log).
  • Given the popularity of Twistlock, it may be worth filing an issue against them but also worth repeating these container settings in our YAML for the system pods that we ship.

Random thought: it would be cool to have something which could extract these from a registry and mirror them to Kubernetes. Much simpler than that is to have a test that these are set in the
operator tests.

@AceHack
Copy link
Contributor Author

AceHack commented Apr 21, 2020

We found
https://kubernetes.io/docs/concepts/policy/pod-security-policy/
But again twist lock does not seem to scan deep enough to detect these settings as of yet

matzew added a commit to matzew/knative-operator that referenced this issue Jun 5, 2020
@matzew
🐳 dockerfilez added (knative#3)
9ff944f 
Signed-off-by: Matthias Wessendorf <mwessend@redhat.com>
@github-actions
Copy link

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Sep 17, 2020
@AceHack
Copy link
Contributor Author

AceHack commented Sep 17, 2020

/remove-lifecycle stale

@knative-prow-robot knative-prow-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Sep 17, 2020
@github-actions
Copy link

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 17, 2020
@AceHack
Copy link
Contributor Author

AceHack commented Dec 17, 2020

Bump

@github-actions github-actions bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 23, 2021
@github-actions
Copy link

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 24, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@AceHack @evankanderson @knative-prow-robot