-
Notifications
You must be signed in to change notification settings - Fork 100
Feature request: Simplify pods security hardenings #457
Comments
As it stands right now all apps are ran in namespaces that have the baseline profile set (pod-security.kubernetes.io/enforce=baseline). If you wish to switch to the restricted profile do Going beyond the standard profiles is a bit difficult. We don't want to limit the amount of users that can use this so doing anything more than baseline profile by default will have a negative effect. What I do think is possible is to do some framework that allows one to configure basically a pod template that will be applied. |
That is already nice feature. However with that profile Acorn should switch to non-root and drop ALL capabilities as those are things which were Kubernetes defaults does not match with restricted policy. I mean example containers: {
web: {
image: "mcr.microsoft.com/dotnet/samples:aspnetapp"
ports: publish: "80/http"
}
} does not because that image defaults to root and even Microsoft is not willing to change that default (yes, I tried on dotnet/dotnet-docker#3139 ) |
@olljanat Docker allows non-root to bind to <1024 ports. I'm not sure k8s does that by default, I have to look into it. |
k8s does not but k3s and rke2 does starting on v1.24.2 as I managed to get it included k3s-io/k3s#5538 However ASP.NET can be also instruct to change port with environment variable like If my proposal gets approved then containerd 2.0 should enable it for k8s too containerd/containerd#6924 |
need to discuss with @ibuildthecloud to see what we want to do here |
I just thought I'd add, I can't get anything to actually run with the restricted profile. The Deployments generated by acorn do not meet the requirements so you get this kind of thing in the replicaset events and no Pods:
I'm not sure if there is a trick I'm missing here to change some config in my Acornfile to make it comply... |
Because of history and unwillingness to implement needed breaking change Docker and Kubernetes still defaults to
root
user and not to mention other security hardening which with most of the modern application would be able to work just fine.Based on my experience most of the applications works just fine with security context like this:
which with they can run on namespace where
restricted
Pod Security Policy is enforced.That why it would be nice to have just one setting which can be enabled for Acorn app which will add that security context to deployment and
pod-security.kubernetes.io/enforce: restricted
label to namespace which it creates.In additionally I have noticed many apps also works even with
readOnlyRootFilesystem: true
as long tmpfs is mounted to/tmp
meaning something like this on deployment yamland because it is recommended in NSA: Kubernetes Hardening Guide it would be nice to have setting for it too.
The text was updated successfully, but these errors were encountered: