Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Each pod should declare it's securityContext #18362

Closed
kristinochka opened this issue Nov 12, 2020 · 2 comments
Closed

Each pod should declare it's securityContext #18362

kristinochka opened this issue Nov 12, 2020 · 2 comments
Labels
area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator kind/enhancement A feature request - must adhere to the feature request template. severity/P1 Has a major impact to usage or development of the system.
Milestone
7.31

Comments

@kristinochka
Copy link

Is your enhancement related to a problem? Please describe.

For best security practices, the securityContext under each Pod must be fully declared in order to clearly communicate the workload's security posture. In order to be declarative about their security posture, Pods must define every parameter available in its securityContext and each container's securityContext.

Describe the solution you'd like

The following deployment don't have security definitions:
deploy/operator-local.yaml
deploy/operator.yaml

For example:

kind: Pod
spec:
  containers:
  - securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsNonRoot: true
      runAsUser: 1001
  hostIPC: false
  hostNetwork: false
  hostPID: false
  securityContext:
    runAsNonRoot: true
    runAsUser: 1001

Describe alternatives you've considered

Additional context
@kristinochka kristinochka added the kind/enhancement A feature request - must adhere to the feature request template. label Nov 12, 2020
@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Nov 12, 2020
@tolusha tolusha added area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator severity/P2 Has a minor but important impact to the usage or development of the system. severity/P1 Has a major impact to usage or development of the system. and removed area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator severity/P2 Has a minor but important impact to the usage or development of the system. labels Nov 13, 2020
@sleshchenko sleshchenko removed the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Nov 13, 2020
@tolusha tolusha added this to the 7.25 milestone Dec 16, 2020
@tolusha tolusha mentioned this issue Dec 24, 2020
Closed
79 tasks
@kristinochka
Copy link
Author

kristinochka commented Jan 12, 2021
edited
Loading

Little bit more clarification:
Pods must define every parameter available in its securityContext and each container's securityContext. For Pods, this includes hostNetwork, hostPID, and hostIPC. For each container, this includes privileged, readOnlyRootFilesystem, allowPrivilegeEscalation, and at least one element in capabilities.add or capabilities.drop. The runAsNonRoot and runAsUser parameters may be defined on each container individually or on the Pod to apply it to all containers. If either is not defined on a container, then it must be defined on the Pod. In the context of an OpenShift cluster, runAsUser is not required. Some parameters have specific requirements regarding the acceptable values, but it is most important that each is defined in order to be declarative about the product's security posture.

@tolusha tolusha modified the milestones: 7.25, 7.26 Jan 13, 2021
@tolusha tolusha mentioned this issue Jan 15, 2021
Closed
54 tasks
@tolusha tolusha removed this from the 7.26 milestone Jan 21, 2021
@tolusha tolusha modified the milestone: 7.27 Feb 1, 2021
@ArvinB
Copy link

ArvinB commented May 12, 2021

This is resolved with the latest PR I contributed:
eclipse-che/che-operator#811

We can close this one out.

@tolusha tolusha closed this as completed May 18, 2021
@tolusha tolusha added this to the 7.31 milestone May 18, 2021
@tolusha tolusha mentioned this issue Jul 19, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator kind/enhancement A feature request - must adhere to the feature request template. severity/P1 Has a major impact to usage or development of the system.
Projects
None yet
Milestone
7.31
Development

No branches or pull requests
5 participants
@ArvinB @tolusha @sleshchenko @kristinochka @che-bot