Shubham Mishra created YUNIKORN-3132:
----------------------------------------
Summary: Pod & Container Security Context to be hardened
Key: YUNIKORN-3132
URL: https://issues.apache.org/jira/browse/YUNIKORN-3132
Project: Apache YuniKorn
Issue Type: Improvement
Components: shim - kubernetes
Reporter: Shubham Mishra
Currently the security context for placeholder pods only sets non root user and
groups
{code:java}
Spec: v1.PodSpec{ SecurityContext: &v1.PodSecurityContext{ RunAsUser:
&runAsUser, RunAsGroup: &runAsGroup, },{code}
In many enterprise secure environments, this might not be enough and should be
more restrictive by design (unless it breaks any functionality).
Proposing to modify the placeholder.go to add following
- *podSecurityContext:*
podSecurityContext:
fsGroup:3000
runAsGroup:3000
runAsNonRoot: true
runAsUser:1000
*- containerSecurityContext:*
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
-all
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
