David Leadbeater
David Leadbeater
> the problem is that the container atm now is doing permission changes, when started it changes the permissions of the mounted volume or in my case local folder to...
It looks like huntr.dev are no longer supporting all OSS projects (https://huntr.com/new-huntr-faq/). I suggest using the "Security" tab in GitHub (basically add a SECURITY.md to the repo and enable submitting...
+1. A quick list of things we do have: - https://prometheus.io/docs/prometheus/latest/configuration/unit_testing_rules/ - https://prometheus.io/docs/prometheus/latest/configuration/recording_rules/#syntax-checking-rules - https://prometheus.io/docs/prometheus/latest/storage/#backfilling-from-openmetrics-format - https://prometheus.io/docs/prometheus/latest/migration/#recording-rules-and-alerts "update rules" -- which has been removed now... - https://prometheus.io/docs/guides/basic-auth/#creating-web-yml I think it...
Please see https://prometheus.io/docs/operating/security/#automated-security-scanners -- scanners are a tool, their output is usually not useful, in fact for this we have no way to know what "PRISMA-2023-0046" even is, as that...
> You mean a string with "no filename" or an empty string ? Rather than an empty string, it should behave like this for no argument, i.e. `promtool check rules...
@fatsheep9146 ack (I missed that GitHub had parsed your "partly fix #id" comment as "fixes" and so automatically closed this).
@lifubang I think adding to the ambient set like that could be dangerous. For example a container may have a binary that runs as root and then deliberately drops privileges...
From the PR you mention: > In fact, the runtime-spec having the inheritable set be explicitly configurable is quite strange now that I think about it -- because the runtime...
Unfortunately the capabilities issue applies to many Kubernetes pods, the default list of capabilities from Docker (per [this](https://github.com/moby/moby/blob/master/oci/caps/defaults.go#L6-L19)) means that unless users have set capabilities to a more restrictive set...
I've opened a draft PR #4129, it's a bit ugly, but does work in my basic testing. I'll test it within a Kubernetes cluster and see about cleaning it up...