[
https://issues.apache.org/jira/browse/YUNIKORN-3132?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Shubham Mishra updated YUNIKORN-3132:
-------------------------------------
Description:
Currently the security context for placeholder pods only sets non root user and
groups -
[https://github.com/apache/yunikorn-k8shim/blob/master/pkg/cache/placeholder.go#L100]
{code:java}
Spec: v1.PodSpec{ SecurityContext: &v1.PodSecurityContext{ RunAsUser:
&runAsUser, RunAsGroup: &runAsGroup, },{code}
In many enterprise secure environments, this might not be enough and should be
more restrictive by design (unless it breaks any functionality).
Proposing to modify the placeholder.go to add following
- *podSecurityContext:*
{code:java}
podSecurityContext:
fsGroup:3000
runAsGroup:3000
runAsNonRoot: true
runAsUser:1000{code}
* *containerSecurityContext:*
{code:java}
containerSecurityContext:
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
-all{code}
* *hostNetwork: false*
was:
Currently the security context for placeholder pods only sets non root user and
groups -
[https://github.com/apache/yunikorn-k8shim/blob/master/pkg/cache/placeholder.go#L100]
{code:java}
Spec: v1.PodSpec{ SecurityContext: &v1.PodSecurityContext{ RunAsUser:
&runAsUser, RunAsGroup: &runAsGroup, },{code}
In many enterprise secure environments, this might not be enough and should be
more restrictive by design (unless it breaks any functionality).
Proposing to modify the placeholder.go to add following
- *podSecurityContext:*
{code:java}
podSecurityContext:
fsGroup:3000
runAsGroup:3000
runAsNonRoot: true
runAsUser:1000{code}
* *containerSecurityContext:*
{code:java}
containerSecurityContext:
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
-all{code}
* hostNetwork: false
> Pod & Container Security Context for placeholder pods to be hardened
> --------------------------------------------------------------------
>
> Key: YUNIKORN-3132
> URL: https://issues.apache.org/jira/browse/YUNIKORN-3132
> Project: Apache YuniKorn
> Issue Type: Improvement
> Components: shim - kubernetes
> Reporter: Shubham Mishra
> Assignee: Shubham Mishra
> Priority: Major
>
> Currently the security context for placeholder pods only sets non root user
> and groups -
> [https://github.com/apache/yunikorn-k8shim/blob/master/pkg/cache/placeholder.go#L100]
> {code:java}
> Spec: v1.PodSpec{ SecurityContext: &v1.PodSecurityContext{ RunAsUser:
> &runAsUser, RunAsGroup: &runAsGroup, },{code}
> In many enterprise secure environments, this might not be enough and should
> be more restrictive by design (unless it breaks any functionality).
> Proposing to modify the placeholder.go to add following
> - *podSecurityContext:*
> {code:java}
> podSecurityContext:
> fsGroup:3000
> runAsGroup:3000
> runAsNonRoot: true
> runAsUser:1000{code}
> * *containerSecurityContext:*
> {code:java}
> containerSecurityContext:
> privileged: false
> allowPrivilegeEscalation: false
> readOnlyRootFilesystem: true
> capabilities:
> drop:
> -all{code}
> * *hostNetwork: false*
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
