Open CodeClinch opened 5 years ago
marwinski
commented
5 years ago Well, an alternative way to do this is pod security policies. Before we are going to build an alternative mechanism we may want to weigh the pros-and cons of this. My gut feeling is that this feature is useful but I believe we need to understand the consequences.
ionysos
commented
5 years ago Containers are by default unprivileged which fits perfectly to our current secure-by-default approach with karydia. Thus, we'll decided to go with the current K8s default and consider a suitable solution for later releases of karydia.
Description
From Kubernetes v1.1, any container in a pod can enable privileged mode, using the privileged flag on the SecurityContext description. This feature is only necessary for a few selected use cases. It should be possible to restrict this flag to the selected namespaces.
User Story
As an administrator, I would like to disable the usage of privileged containers. If it is still necessary I would like to restrict it to a selected namespace.
Implementation idea
The validating webhook should reject pods that have the privileged flag set to true if they are not part of a selected namespace (namespace with allowed privileged containers).
Will be solved with #159.