This repository has been archived by the owner on Oct 21, 2022. It is now read-only.
Disallow Privileged Container #78
Labels
enhancement
New feature or request
Comments
|
Well, an alternative way to do this is pod security policies. Before we are going to build an alternative mechanism we may want to weigh the pros-and cons of this. My gut feeling is that this feature is useful but I believe we need to understand the consequences. |
|
Containers are by default unprivileged which fits perfectly to our current secure-by-default approach with karydia. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Description
From Kubernetes v1.1, any container in a pod can enable privileged mode, using the privileged flag on the SecurityContext description. This feature is only necessary for a few selected use cases. It should be possible to restrict this flag to the selected namespaces.
User Story
As an administrator, I would like to disable the usage of privileged containers. If it is still necessary I would like to restrict it to a selected namespace.
Implementation idea
The validating webhook should reject pods that have the privileged flag set to true if they are not part of a selected namespace (namespace with allowed privileged containers).
Will be solved with #159.
The text was updated successfully, but these errors were encountered: