You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Oct 21, 2022. It is now read-only.
From Kubernetes v1.1, any container in a pod can enable privileged mode, using the privileged flag on the SecurityContext description. This feature is only necessary for a few selected use cases. It should be possible to restrict this flag to the selected namespaces.
User Story
As an administrator, I would like to disable the usage of privileged containers. If it is still necessary I would like to restrict it to a selected namespace.
Implementation idea
The validating webhook should reject pods that have the privileged flag set to true if they are not part of a selected namespace (namespace with allowed privileged containers).
Well, an alternative way to do this is pod security policies. Before we are going to build an alternative mechanism we may want to weigh the pros-and cons of this. My gut feeling is that this feature is useful but I believe we need to understand the consequences.
Containers are by default unprivileged which fits perfectly to our current secure-by-default approach with karydia.
Thus, we'll decided to go with the current K8s default and consider a suitable solution for later releases of karydia.
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Description
From Kubernetes v1.1, any container in a pod can enable privileged mode, using the privileged flag on the SecurityContext description. This feature is only necessary for a few selected use cases. It should be possible to restrict this flag to the selected namespaces.
User Story
As an administrator, I would like to disable the usage of privileged containers. If it is still necessary I would like to restrict it to a selected namespace.
Implementation idea
The validating webhook should reject pods that have the privileged flag set to true if they are not part of a selected namespace (namespace with allowed privileged containers).
Will be solved with #159.
The text was updated successfully, but these errors were encountered: