security: Drop capabilities, set userid and enable seccomp #385
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pjbgf
force-pushed
the
security-context
branch
from
b823a44
to
7c971cd
Compare
pjbgf
force-pushed
the
security-context
branch
from
7c971cd
to
d2aecf0
Compare
pjbgf
changed the title
pjbgf
force-pushed
the
security-context
branch
2 times, most recently
from
bd34eca
to
ccdcc6e
Compare
|
This was tested on Kubernetes |
pjbgf
changed the title
2 tasks
Co-authored-by: Sanskar Jaiswal <sanskar.jaiswal@weave.works> Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
Further restricts the SecurityContext that the controller runs under, by enabling the default seccomp profile and dropping all linux capabilities. This was set at container-level to ensure backwards compatibility with use cases in which sidecars are injected into the source-controller pod without setting less restrictive settings. BREAKING CHANGE: The use of new seccomp API requires Kubernetes 1.19. Co-authored-by: Sanskar Jaiswal <sanskar.jaiswal@weave.works> Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
BREAKING CHANGE: the controller container is now executed under 65534:65534 (userid:groupid). This change may break deployments that hard-coded the user name 'controller' in their PodSecurityPolicy. Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
pjbgf
force-pushed
the
security-context
branch
from
ccdcc6e
to
ae3f157
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Further restricts the
SecurityContextthat the controller runs under, by enabling the default seccomp profile, dropping all linux capabilities.This was set at container-level to ensure backwards compatibility with use cases in which more privileged sidecars are injected into the
source-controllerpod without setting less restrictive settings.Note that seccomp will only be enabled if the container runtime and operational system supports it, otherwise the container will run
unconfined(aka fail-open), which is the same behaviour as not setting theseccompProfilein the first place.Relates to fluxcd/flux2#2014
Co authored by @aryan9600
Impacts weaveworks/flux2-openshift#10
BREAKING CHANGE:
65534:65534(userid:groupid). This change may break deployments that hard-coded the user name 'controller' in theirPodSecurityPolicy.