Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

helm: refactor securityContext #5601

Merged
merged 3 commits into from
Nov 26, 2024
Merged

helm: refactor securityContext #5601

merged 3 commits into from
Nov 26, 2024

Conversation

szaimen
Copy link
Collaborator

@szaimen szaimen commented Nov 15, 2024
edited
Loading

No description provided.

@szaimen szaimen added 2. developing Work in progress enhancement New feature or request labels Nov 15, 2024
@szaimen szaimen added this to the next milestone Nov 15, 2024
@szaimen szaimen changed the title helm: refactor securityContext to support restricted pod security sta… helm: refactor securityContext to support restricted pod security standard Nov 15, 2024
@szaimen szaimen force-pushed the enh/noid/refactor-helm-security branch 3 times, most recently from b041b42 to f0cc8db Compare November 21, 2024 18:31
@szaimen szaimen added 3. to review Waiting for reviews and removed 2. developing Work in progress labels Nov 21, 2024
@szaimen szaimen marked this pull request as ready for review November 21, 2024 18:35
@szaimen szaimen force-pushed the enh/noid/refactor-helm-security branch 5 times, most recently from 11a1f68 to 8008d5b Compare November 21, 2024 19:59
@szaimen szaimen changed the title helm: refactor securityContext to support restricted pod security standard helm: refactor securityContext Nov 21, 2024
@szaimen szaimen force-pushed the enh/noid/refactor-helm-security branch from fd1b778 to cf6adc1 Compare November 21, 2024 21:16
This was referenced Nov 21, 2024
Closed
Closed
@denppa
Copy link

denppa commented Nov 21, 2024
edited
Loading

Thank you for your good work, it takes a lot of effort to harden the security aspect of things.

I found out that docker's SYS_ADMIN does not actually mean anything in Kubernetes. See here, and according to the docs here and specs here, all of them seem to also support this unofficial document.

And if you add CAP_SYS_ADMIN instead of SYS_ADMIN, it will block allowPrivilegeEscalation to be set to true. Also, when CAP_SYS_ADMIN is added, Collabora forks and works. Therefore, it would be great if you can include this change in the heml charts.

@szaimen
Copy link
Collaborator Author

szaimen commented Nov 21, 2024

Hi, thanks for your pointer! I'll look into it!

@szaimen szaimen force-pushed the enh/noid/refactor-helm-security branch from e6a0b19 to 069b414 Compare November 21, 2024 22:00
@szaimen szaimen requested a review from st3iny November 22, 2024 01:02
@szaimen szaimen force-pushed the enh/noid/refactor-helm-security branch 2 times, most recently from b58d49e to a4b9233 Compare November 25, 2024 08:46
@szaimen szaimen force-pushed the enh/noid/refactor-helm-security branch from a4b9233 to e800ed4 Compare November 25, 2024 08:52
@szaimen szaimen mentioned this pull request Nov 25, 2024
Merged
@szaimen szaimen merged commit 39cf8f7 into main Nov 26, 2024
9 checks passed
@szaimen szaimen deleted the enh/noid/refactor-helm-security branch November 26, 2024 09:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@st3iny st3iny Awaiting requested review from st3iny

Assignees
No one assigned
Labels
3. to review Waiting for reviews enhancement New feature or request
Projects
None yet
Milestone
v10.1.0
Development

Successfully merging this pull request may close these issues.
2 participants
@szaimen @denppa