Fine-grained Feature Selection

SAP-archive / karydia

Kubernetes Security Walnut

Other

77 stars 10 forks source link

Fine-grained Feature Selection #158

Closed Neumann-Nils closed 5 years ago

Neumann-Nils commented 5 years ago

Description

It should be possible to turn off/on each feature of karydia seperately. For most features, it is clear how to disable them (e.g. set podSecurityContext to none). For those cases, it should be documented accordingle, which value disables this features. In other cases (e.g. automountServiceAccountToken) a value that disables this feature should be implemented.

User Story

As a user I want to have full and fine-grained control of the features of karydia in order to adapt to my needs.

Neumann-Nils commented 5 years ago

As an overview: It is possible to disable the two feature sets: defaultNetworkPolicy and karydiaAdmission by setting their values in the "values.yaml" to false. This will exclude the corresponding CLI flags from the "deployment.yaml".

Most single features can be disabled on their own:

defaultNetworkPolicy only has this single feature (thus, setting the feature to false is sufficient)
podSecurityContext can be set to "none"
seccompProfile can be set to "unconfined"

In contrast, only automountServiceAccountToken cannot be disabled on its own.

Neumann-Nils commented 5 years ago

To-Do:

[x] Add a value that disables the automountServiceAccountToken feature
[x] Update documentation to give an better overview how to disable all features

Neumann-Nils commented 5 years ago

automountServiceAccountToken can be disabled using another value than "change-default" or "change-all", i.e. "no-change would be sufficient.