SAP-archive / karydia

Kubernetes Security Walnut
Other
76 stars 10 forks source link

Fine-grained Feature Selection #158

Closed Neumann-Nils closed 5 years ago

Neumann-Nils commented 5 years ago

Description

It should be possible to turn off/on each feature of karydia seperately. For most features, it is clear how to disable them (e.g. set podSecurityContext to none). For those cases, it should be documented accordingle, which value disables this features. In other cases (e.g. automountServiceAccountToken) a value that disables this feature should be implemented.

User Story

As a user I want to have full and fine-grained control of the features of karydia in order to adapt to my needs.

Neumann-Nils commented 5 years ago

As an overview: It is possible to disable the two feature sets: defaultNetworkPolicy and karydiaAdmission by setting their values in the "values.yaml" to false. This will exclude the corresponding CLI flags from the "deployment.yaml".

Most single features can be disabled on their own:

In contrast, only automountServiceAccountToken cannot be disabled on its own.

Neumann-Nils commented 5 years ago

To-Do:

Neumann-Nils commented 5 years ago

automountServiceAccountToken can be disabled using another value than "change-default" or "change-all", i.e. "no-change would be sufficient.