Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set securityContext on namespace-metadata job container #9445

Closed
akorp opened this issue Sep 22, 2022 · 2 comments
Closed

Set securityContext on namespace-metadata job container #9445

akorp opened this issue Sep 22, 2022 · 2 comments
Assignees
@alpeb
Labels
area/helm enhancement priority/triage
Milestone
stable-2.13.0

Comments

@akorp
Copy link

akorp commented Sep 22, 2022
edited
Loading

What problem are you trying to solve?

Additional security. It is a best practice in security to run container with a minimum required securityContext. Many kubernetes users, including us, have constraints in cluster prohibiting high privileges.

How should the problem be solved?

Add securityContext for the namespace-metadata job.

  privileged: false
  allowPrivilegeEscalation: false
  runAsNonRoot: true
  readOnlyRootFilesystem: true

As described at #6638, image might change in the future, but any image unlikely to require high privileges for its taks described in PR.

Any alternatives you've considered?

Could not find other alternatives for the described solution.

How would users interact with this feature?

No response

Would you like to work on this feature?

No response
@akorp akorp changed the title Set allowPrivilegeEscalation to false on namespace-metadata job container Set allowPrivilegeEscalation/readOnlyRootFilesystem on namespace-metadata job container Sep 22, 2022
@akorp akorp changed the title Set allowPrivilegeEscalation/readOnlyRootFilesystem on namespace-metadata job container Set securityContext on namespace-metadata job container Sep 22, 2022
@adleong adleong added this to the stable-2.13.0 milestone Sep 22, 2022
@alpeb alpeb self-assigned this Oct 20, 2022
@alpeb alpeb mentioned this issue Nov 3, 2022
Merged
@alpeb
Copy link
Member

alpeb commented Nov 3, 2022

Note that this is being addressed indirectly by #9719

@alpeb
Copy link
Member

alpeb commented Dec 22, 2022

Addressed in #9719

@alpeb alpeb closed this as completed Dec 22, 2022
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@alpeb alpeb

Labels
area/helm enhancement priority/triage
Projects
None yet
Milestone
stable-2.13.0
Development

No branches or pull requests
3 participants
@alpeb @adleong @akorp