local-path-provisioner icon indicating copy to clipboard operation
local-path-provisioner copied to clipboard

Published 20 hours ago verified publisher icon rancher

Trivy recommended hardening

Open jcpunk opened this issue 2 years ago • 11 comments

These hardening bits were recommended by the trivy scanner.

https://github.com/aquasecurity/trivy https://github.com/aquasecurity/trivy-operator

jcpunk avatar Apr 20 '23 15:04 jcpunk

@jcpunk Thanks for your contribution. Could you please link me to a reference for the feature? Thank you.

derekbit avatar Jul 18 '23 08:07 derekbit

BTW, could you help resolve the conflict? Thank you.

derekbit avatar Jul 18 '23 08:07 derekbit

I've added links to the trivy tooling and resolved the conflicts.

Just to verify, can this container run with any of the following security settings?

runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
   drop: ["ALL"]
runAsUser: 65534
runAsGroup: 65534
readOnlyRootFilesystem: true

Their existence in the values.yaml even as comments seems incorrect if they are incompatible.

If the pod requires run as root with some capabilities, that should probably be noted somewhere...

jcpunk avatar Jul 18 '23 17:07 jcpunk

Not sure if the hardening can introduce side effect? I think we can gray the block out and leave a comment here. Users can enable it by updating the values.yaml. @jcpunk WDYT?

derekbit avatar Nov 18 '23 17:11 derekbit

I'd prefer the defaults to have the most hardening that is safe to apply. I'm not super familiar with what the code actually needs...

In prod I'm running with the sandbox enabled (what is actually in the patch) and that seems to work.

I'd love to have these too:

runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
   drop: ["ALL"]
runAsUser: 65534
runAsGroup: 65534
readOnlyRootFilesystem: true

but I don't have a place to test them at this point. Do you know if any of these are workable?

jcpunk avatar Nov 27 '23 14:11 jcpunk