Restrict kubernetes pod kernel capabilities #690
Conversation
There was a problem hiding this comment.
Reviewed 3 of 3 files at r1.
Reviewable status:complete! all files reviewed, all discussions resolved (waiting on @OlafSzmidt)
There was a problem hiding this comment.
Reviewable status: all files reviewed, 2 unresolved discussions (waiting on @OlafSzmidt)
aimmo-game-creator/game_manager.py, line 253 at r1 (raw file):
], "add": [ "NET_BIND_SERVICE"
does this container bind to any port less than 1024? if not then this capability might be unnecessary
aimmo-game-creator/rc-aimmo-game-creator.yaml, line 32 at r1 (raw file):
- name: GAME_MANAGER value: kubernetes securityContext:
why does this appear twice - in game_manager.py and here?
There was a problem hiding this comment.
Reviewable status: all files reviewed, 2 unresolved discussions (waiting on @OlafSzmidt and @JCobbles)
aimmo-game-creator/game_manager.py, line 253 at r1 (raw file):
Previously, JCobbles (Jacob Moss) wrote…
does this container bind to any port less than 1024? if not then this capability might be unnecessary
This is creating the replication controller for the game, and the game starts flask so it's needed.
aimmo-game-creator/rc-aimmo-game-creator.yaml, line 32 at r1 (raw file):
Previously, JCobbles (Jacob Moss) wrote…
why does this appear twice - in game_manager.py and here?
Done.
There was a problem hiding this comment.
Reviewed 3 of 3 files at r1.
Reviewable status: 2 of 3 files reviewed, all discussions resolved (waiting on @JCobbles and @NiallEgan)
There was a problem hiding this comment.
Reviewed 1 of 1 files at r2.
Reviewable status:
Please read #689 before reviewing!
This PR will increase our pod security from kubesec rating 7 to 8. The next step would be to completely remove root access, but that was quite difficult to figure out as we don't assign and uID or gIDs right now.
A simple scan of existing game pods for example:
The advisory is now gone.
This change is