SELinux audits

[dani-santos-code]

Going through Kubernetes pod security standards, it seem it'd be desirable to audit custom SELinux user or role.

Setting the SELinux type is restricted, and setting a custom SELinux user or role option is forbidden.

Restricted Fields

- spec.securityContext.seLinuxOptions.type
- spec.containers[*].securityContext.seLinuxOptions.type
- spec.initContainers[*].securityContext.seLinuxOptions.type
- spec.ephemeralContainers[*].securityContext.seLinuxOptions.type

Allowed Values

- Undefined/""
- container_t
- container_init_t
- container_kvm_t

Restricted Fields

- spec.securityContext.seLinuxOptions.user
- spec.containers[*].securityContext.seLinuxOptions.user
- spec.initContainers[*].securityContext.seLinuxOptions.user
- spec.ephemeralContainers[*].securityContext.seLinuxOptions.user
- spec.securityContext.seLinuxOptions.role
- spec.containers[*].securityContext.seLinuxOptions.role
- spec.initContainers[*].securityContext.seLinuxOptions.role
- spec.ephemeralContainers[*].securityContext.seLinuxOptions.role

Allowed Values

- Undefined/""

ISSUE TYPE

• Bug Report
• Feature Idea

BUG REPORT

SUMMARY

Follow best practices and latest security recommendations

FEATURE IDEA

• If the maintainers agree with the feature as described here, I intend to submit a Pull Request myself.¹

Proposal:

¹ _{This is the quickest way to get a new feature! We reserve the right to close feature requests, even ones we like, if the proposer does not intend to contribute to the feature and it doesn't fit in our current roadmap.}