aks-app-routing-operator icon indicating copy to clipboard operation
aks-app-routing-operator copied to clipboard
verified publisher icon Azure

Upgrade security context of controller container to be compatible with "Restricted" official pod security standard

Open gabor-one opened this issue 1 year ago • 1 comments

Currently, only the "runAsUser" option is set in the controller's container securityContext.

securityContext:
            runAsUser: 101

Official Azure policies expect "allowPrivilegeEscalation" to be declared false. Kubernetes clusters should not allow container privilege escalation Azure policy Gatekeeper template: k8sazurev3noprivilegeescalation

I propose to upgrade the securityContext to match the official "restricted" pod security standard. Official pod security standards documentation.

Proposed securityContext:

spec:
  template:
    spec:
      containers:
        - name: controller
           securityContext:
             runAsUser: 101
             allowPrivilegeEscalation: false
             seccompProfile:
               type: RuntimeDefault
             capabilities:
               drop:
                 - ALL

gabor-one avatar Apr 10 '24 12:04 gabor-one

Working on #192 to address this.

OliverMKing avatar Apr 10 '24 20:04 OliverMKing

Released in 0.2.3.

sabbour avatar Feb 14 '25 23:02 sabbour