Closed CodeClinch closed 5 years ago
One idea (not mine) is to set runAsUser: 65534 (or 99 for Centos) because nobody has known minimal privileges. If a developer adduser 1000, the filesystem and shell privileges may be bad.
@yu289333 you are right the user 1000 will have more privileges than 65534. But for multiple cases nobody will not be enough. I guess the best idea is to make the default configurable and to provide different policies for both cases.
There is one more issue: If a user is specified in a pod as none root, but in a container as root. The container configuration will win. With the following configuration it will never run as root.
runAsUser:
rule: 'MustRunAsNonRoot'
https://kubernetes.io/docs/concepts/policy/pod-security-policy/
Description
Security settings allow specifying that containers run with unprivileged users. if the securityContext is not specified all containers will run as root.
The setting can be made on pod or container level. Karydia should add the securityContext and set the user to 1000 if it is not available.
User Story
As an administrator, I would like to have the option that all containers run with unprivileged users by default. Exceptions should be possible by namespace and on pod and container level.
Implementation idea
The mutating webhook should add the securityContext (runAsUser: 1000, fsGroup: 2000) if the securityContext is not specified and the namespace has not been excluded.