Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Each pod should explicitly declare it's securityContext #21559

Closed
Tracked by #21551
tolusha opened this issue Jul 19, 2022 · 2 comments
Closed
Tracked by #21551

Each pod should explicitly declare it's securityContext #21559

tolusha opened this issue Jul 19, 2022 · 2 comments
Labels
area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator kind/task Internal things, technical debt, and to-do tasks to be performed. severity/P1 Has a major impact to usage or development of the system. sprint/current
Milestone
7.52

Comments

@tolusha
Copy link
Contributor

tolusha commented Jul 19, 2022
edited
Loading

Is your task related to a problem? Please describe

For best security practices, the securityContext under each Pod must be fully declared in order to clearly communicate the workload's security posture. In order to be declarative about their security posture, Pods must define every parameter available in its securityContext and each container's securityContext.

Continuation of #18362

Describe the solution you'd like

Explicitly define container SecurityContext:

      securityContext:
        capabilities:
          drop:
            - ALL
        allowPrivilegeEscalation: false
        runAsNonRoot: true

Describe alternatives you've considered

No response

Additional context

No response
@tolusha tolusha added kind/task Internal things, technical debt, and to-do tasks to be performed. sprint/current area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator labels Jul 19, 2022
@tolusha tolusha mentioned this issue Jul 19, 2022
Closed
51 tasks
@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Jul 19, 2022
@l0rd
Copy link
Contributor

l0rd commented Jul 19, 2022

@tolusha to clarify: this issue is server side (i.e. for Che operands) and not workspace side (we need a distinct issue for that)?

@l0rd l0rd added severity/P1 Has a major impact to usage or development of the system. and removed status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. labels Jul 19, 2022
@tolusha
Copy link
Contributor Author

tolusha commented Jul 19, 2022

It is for all pods running on the cluster, so che-operator + DWO are involved.

@tolusha tolusha mentioned this issue Jul 27, 2022
Merged
11 tasks
@tolusha tolusha changed the title Each container should declare it's securityContext Each pod should explicitly declare it's securityContext Jul 29, 2022
@tolusha tolusha closed this as completed Aug 1, 2022
@tolusha tolusha added this to the 7.52 milestone Aug 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator kind/task Internal things, technical debt, and to-do tasks to be performed. severity/P1 Has a major impact to usage or development of the system. sprint/current
Projects
None yet
Milestone
7.52
Development

No branches or pull requests
3 participants
@l0rd @tolusha @che-bot