Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trivy recommended hardening #329

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Trivy recommended hardening #329

wants to merge 1 commit into from

Conversation

jcpunk
Copy link

@jcpunk jcpunk commented Apr 20, 2023
edited
Loading

@derekbit
Copy link
Member

@jcpunk
Thanks for your contribution.
Could you please link me to a reference for the feature? Thank you.

@derekbit
Copy link
Member

BTW, could you help resolve the conflict? Thank you.

@jcpunk jcpunk force-pushed the trivy-pss branch 2 times, most recently from ba8b940 to 6059831 Compare July 18, 2023 17:55
@jcpunk
Copy link
Author

jcpunk commented Jul 18, 2023

I've added links to the trivy tooling and resolved the conflicts.

Just to verify, can this container run with any of the following security settings?

runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
   drop: ["ALL"]
runAsUser: 65534
runAsGroup: 65534
readOnlyRootFilesystem: true

Their existence in the values.yaml even as comments seems incorrect if they are incompatible.

If the pod requires run as root with some capabilities, that should probably be noted somewhere...

@derekbit
Copy link
Member

Not sure if the hardening can introduce side effect?
I think we can gray the block out and leave a comment here. Users can enable it by updating the values.yaml.
@jcpunk WDYT?

@jcpunk
Copy link
Author

jcpunk commented Nov 27, 2023

I'd prefer the defaults to have the most hardening that is safe to apply. I'm not super familiar with what the code actually needs...

In prod I'm running with the sandbox enabled (what is actually in the patch) and that seems to work.

I'd love to have these too:

runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
   drop: ["ALL"]
runAsUser: 65534
runAsGroup: 65534
readOnlyRootFilesystem: true

but I don't have a place to test them at this point. Do you know if any of these are workable?

@github-actions GitHub Actions
Copy link

This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days.

@github-actions github-actions bot added the stale label Jun 10, 2024
@jcpunk
Copy link
Author

jcpunk commented Jun 10, 2024

I'd still like to see some version of this.

@derekbit
Copy link
Member

derekbit commented Jun 10, 2024
edited
Loading

Let's make it in v0.0.28.

Let's make it in v0.0.29.

@github-actions github-actions bot removed the stale label Jun 11, 2024
@github-actions GitHub Actions
Copy link

This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days.

@github-actions github-actions bot added the stale label Jul 29, 2024
@jcpunk
Copy link
Author

jcpunk commented Jul 29, 2024

I'd still like to see some version of this.

@github-actions github-actions bot removed the stale label Jul 30, 2024
derekbit
derekbit reviewed Aug 31, 2024
View reviewed changes
deploy/chart/local-path-provisioner/values.yaml
Comment on lines +77 to +102
securityContext:
seccompProfile:
type: RuntimeDefault
Copy link
Member

@derekbit derekbit Aug 31, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wondering if we need to enable it by default. Or, users can enable it if they need it.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would aim for by default and have folks loosen the security restrictions if they can't run with them.

@jcpunk
Setup seccompProfile per recommendation from trivy
d0a42df 
Signed-off-by: Pat Riehecky <riehecky@fnal.gov>
@jcpunk
Copy link
Author

jcpunk commented Sep 12, 2024

conflicts resolved

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@derekbit derekbit derekbit left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jcpunk @derekbit