-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Seccomp default profile to managed apps and core components #259
Comments
Can we find out what the actual |
Here https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp it says:
And Docker seccomp docs state the following:
I'm not sure if Flatcar is setting some other values there, but IIUC I don't think they would, since Not sure how switching to containerd would affect that, they have some default stuff here https://github.com/containerd/containerd/blob/master/contrib/seccomp/seccomp_default.go. |
This would be only for our stuff right? If we hit those profile limits we might need to create seccomp profiles for our stuff. |
yes it is only for our stuff, but I would include the default profile for
the restricted PSP, to have a default secure setting (do we need to see
what differences are and if it will cause any harm to the users).
…On Mon, Feb 1, 2021 at 3:20 PM Puja ***@***.***> wrote:
This would be only for our stuff right? If we hit those profile limits we
might need to create seccomp profiles for our stuff.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#259 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAGZZ7KTWKERUGEFIX5C6ATS42ZUDANCNFSM4WZDVXLA>
.
--
Fernando Ripoll
Solution Engineer @ Giant Swarm GmbH
+34 654525940 @fer (slack)
|
There are some changes here in the upstream. Here is KEP-2413: Enable seccomp by default.
|
@stone-z would this be something that team shield could drive (you might even have sth similar already planned)? |
Yep! This is in our backlog. There is already a policy requiring |
The use of the runtime/default seccomp profile has been tested on a MC and WC by setting it as the default for anything normally running undefined. Creating clusters was without problems, therefor setting the profile for the repos below, the list below are reported apps/components according to Kyverno alerts. A checked box below either means:
It does NOT mean it's released with the profile yet. List:
|
#29) * Added volumetypes to PSP to prevent issue spinning pods as described at: giantswarm/roadmap#259 (comment). * Updated vulnerable dependencies --------- Co-authored-by: vvondruska <[email protected]>
* Added volumetypes to PSP to prevent issue spinning pods as described at: giantswarm/roadmap#259 (comment). * Forgot changelog..
#92) * Added volumetypes to PSP to prevent issue spinning pods as described at: giantswarm/roadmap#259 (comment). * Fix vulnerabilities --------- Co-authored-by: Erkan Erol <[email protected]>
For the repositories listed below, issues describing the wanted changes will be made.
|
Opened PRs for azure-collector, cert-operator, cluster-cleaner, and aws-tccpf-watchdog. Looks like giantswarm/vertical-pod-autoscaler-app#151 is ok - is there a blocker there? |
The CI failure in giantswarm/azure-admission-controller#422 does not seem like it could be related to your changes |
For giantswarm/vertical-pod-autoscaler-app#151 Other leftover PRs are:
Other than that.. Tickets are open, and we should be good to go. |
Team Shield's part of this ticket is done. |
Is your feature request related to a problem? Please describe.
Kubernetes allow setting Seccomp profiles to their workloads. It is an extra security layer and some security benchmarks point to enable it as default
Describe the solution you'd like
Adding the default profile for all our managed components and the
restricted
PSP. Verify it is not affecting the behaviour of any component (maybe node exporter should be reviewed)Describe alternatives you've considered
Additional context
The text was updated successfully, but these errors were encountered: