You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Kubescape supports some exceptions, but it is only possible at the level of pods. Since a pod can have more than one container, it would be useful to allow the exclusion of specific containers of pod from scan.
Problem
If your deployment workload resource definition (eg. helm) pulls in external upstream container images during runtime, those images may have Pod definitions with the privilege flag policy set to true for one or more their Pods. It is recommended that the CNF developer audits and cleans up any upstream images to respect this rule ensuring the privilege flag is set to false when following this best practice.
Some Pods may need privileges to provide required functionality. For example kube-proxy or the Envoy side-car.
It is the responsibility of the CNF developer to communicate the privileges needed by their CNF. Source ( https://github.com/lfn-cnti/bestpractices/blob/main/doc/cbpps/0004-do-not-run-containers-with-privilege-flag.md#notesconstraintscaveats ).
So, I believe it would be beneficial to allow the exclusion of specific containers from the privileged test.
Solution
To address this, the ability to add container types to the exception file can be implemented. This will allow the exclusion of those containers from the scan.
The text was updated successfully, but these errors were encountered:
Overview
Kubescape supports some exceptions, but it is only possible at the level of pods. Since a pod can have more than one container, it would be useful to allow the exclusion of specific containers of pod from scan.
Problem
If your deployment workload resource definition (eg. helm) pulls in external upstream container images during runtime, those images may have Pod definitions with the privilege flag policy set to true for one or more their Pods. It is recommended that the CNF developer audits and cleans up any upstream images to respect this rule ensuring the privilege flag is set to false when following this best practice.
Some Pods may need privileges to provide required functionality. For example kube-proxy or the Envoy side-car.
It is the responsibility of the CNF developer to communicate the privileges needed by their CNF. Source ( https://github.com/lfn-cnti/bestpractices/blob/main/doc/cbpps/0004-do-not-run-containers-with-privilege-flag.md#notesconstraintscaveats ).
So, I believe it would be beneficial to allow the exclusion of specific containers from the privileged test.
Solution
To address this, the ability to add container types to the exception file can be implemented. This will allow the exclusion of those containers from the scan.
The text was updated successfully, but these errors were encountered: