Split streams makes sense. * Inside the container (don't do bad things, pretty easy) * Outside the container (make sure it can't do bad things, harder because of immutability etc...)
On Mon, May 4, 2020 at 1:20 PM Shawn Wells <sh...@redhat.com> wrote: > > On 5/4/20 12:51 PM, Trevor Vaughan wrote: > > If you're supplying a container, and it needs privileged access to > > function, then it should be able to bring everything that it needs > > along with it. > > > > What's the point of 'bundled stuff' otherwise? > > > > It's easy to punt to the OS/Admin but we're trying to make it easier > > for them instead of having them give up on the whole thing due to > > complexity. > > > Believe we agree on the legitimacy of the challenge. Would contend > conversation around privileged containers belongs to the container > management platform. > > eg in the OpenShift world the ability to run a privileged container is > defined in a Security Context Constraint for the kubernetes pod. For the > OpenShift SCAP content we would evaluate if "allowPrivilegedContainer" > is true/false to organizational policy. Has nothing to do with > configuration attestation of whatever is running /inside/ the container. > > From a workflow perspective a compliance operator would scan the > contents of the container image and the configuration of the pod. Behind > the scenes this is likely two separate SCAP data streams but the user > would only see one bundled scan. > _______________________________________________ > scap-security-guide mailing list -- > scap-security-guide@lists.fedorahosted.org > To unsubscribe send an email to > scap-security-guide-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information --
_______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org
