Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question: PodSecurity policy check with uid >= 10000 ok? #204

Closed
markuslackner opened this issue Dec 20, 2019 · 6 comments
Closed

Question: PodSecurity policy check with uid >= 10000 ok? #204

markuslackner opened this issue Dec 20, 2019 · 6 comments

Comments

@markuslackner
Copy link

Many helm charts/docker containers use uid 1000 by default. Also in the kubernetes docs there is a sample with uid 1000 (https://kubernetes.io/docs/tasks/configure-pod-container/security-context/). In our environment it would be quite an effort to switch to uids > 10000. On the other hand i dont want to skip this check.

My question : Is enforcing uid >= 10000 necessary and an security improvement or would it be sufficient to enforce uid >= 1000? Would it be a reasonable feature request to enhance kube-score to allow configuring which uid/gid to check?
@zegl
Copy link
Owner

zegl commented Dec 20, 2019

A common pattern is to use uid < 10000 for host local uids, and uids >= 10000 for "remote users". I still think that it makes sense to recommend higher uids, to avoid collitions.

@markuslackner
Copy link
Author

ok, i see your point. My problem is the "practical" aspect when using docker images from e.g. dockerhub. Often they are using 1000 or 1001 by default and you have to extend them to use another uid/gid. Also most of the guides i have seen for writing security policies in for example helm charts use uid 1001. So i am thinking if kube-score should check for uid >= 1000 because it is widely used in practice although 10000 is correct from a technical point of view.

@mgier
Copy link

mgier commented Oct 27, 2020

Would appreciate this, too. If not as default, maybe with an additional config-flag? Something like "strict UID check"?

@zegl
Copy link
Owner

zegl commented Oct 27, 2020

Would appreciate this, too. If not as default, maybe with an additional config-flag? Something like "strict UID check"?

If you want to disable this test, you can do so with the --ignore-test or kube-score/ignore annotation.

@mgier
Copy link

mgier commented Oct 27, 2020
edited
Loading

Hi @zegl ,

thanks for the fast reply. We checked this option already, but then we have to disable all checks from container-security-context?

We would like to keep the other checks. Right now, the UID check pops up for almost all of our deployments, which makes it hard to use kube-score for us at all because almost every deployment is marked as critical.

@zegl zegl mentioned this issue Nov 2, 2020
Closed
@zegl
Copy link
Owner

zegl commented Nov 2, 2020

We would like to keep the other checks.

Fair enough, I think that it would make sense to split this check into multiple smaller ones, that can be enabled/disabled individually. I've opened #325 to track this implementation.

@zegl zegl closed this as completed Nov 2, 2020
@chgl chgl mentioned this issue Jun 2, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zegl @markuslackner @mgier