Setting Capabilities and/or Security Context for App?
joshuabuildsthings opened this issue · 4 comments
This is a question & potential feature request, not a bug report.
I was wondering if it's possible to set capabilities for apps deployed via Docker at configuration time?
Is the case? If not, is it possible to extend Workflow to support this functionality?
Desired Outcome
Apps built via Docker would respect Kubernetes Security Context settings; such as adding NET_ADMIN capabilities to the container.
@Cryptophobia - Just wanted to check in on this as it's been quite some time without a response.
Do you have a good reference document about the subject? I'm not really familiar with security context, is this the same thing as PodSecurityPolicy?
@kingdonb - It is related to PodSecurityPolicy.
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container
https://raw.githubusercontent.com/kubernetes/website/master/content/en/examples/pods/security/security-context-4.yaml
https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities
Basically, what I'm wondering is can the capabilities for an app deployment either at build/deploy time or afterwards via the CLI?
@joshuabuildsthings , this is very interesting feature request and we have already done some reading about security context settings on pods before this. It would be nice to be able to set these security contexts on pods via the CLI. We are open to pull requests and can prioritize this feature at some point as my team will also be interested in these security context settings per pod. 🥇
Basically, what I'm wondering is can the capabilities for an app deployment either at build/deploy time or afterwards via the CLI?
I would think this is something we would prefer to set through the CLI and defined in the hephy-controller as some of these settings will be different per environment.
Some more context:
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/