Default securityContext settings
gabegorelick opened this issue · 3 comments
gabegorelick commented
#780 introduced the ability to set a container securityContext, while pod-level securityContext has been supported since #200. However, only runAsNonRoot
is enabled by default.
Other settings that should potentially be enabled by default (subject to testing):
runAsUser: 1000
readOnlyRootFilesystem: true
allowPrivilegeEscalation
, if no suid binaries are used- Drop unused capabilities
gabegorelick commented
I've been running KES with allowPrivilegeEscalation: false
, readOnlyRootFilesystem: true
, runAsUser: 1000
, and capabilities: {drop: [all]}
without any issues.
github-actions commented
This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days.
github-actions commented
This issue was closed because it has been stalled for 30 days with no activity.