Going through Kubernetes pod security standards, it seem it'd be desirable to audit custom SELinux user or role.
Setting the SELinux type is restricted, and setting a custom SELinux user or role option is forbidden.
Restricted Fields
- spec.securityContext.seLinuxOptions.type
- spec.containers[*].securityContext.seLinuxOptions.type
- spec.initContainers[*].securityContext.seLinuxOptions.type
- spec.ephemeralContainers[*].securityContext.seLinuxOptions.type
Allowed Values
- Undefined/""
- container_t
- container_init_t
- container_kvm_t
Restricted Fields
- spec.securityContext.seLinuxOptions.user
- spec.containers[*].securityContext.seLinuxOptions.user
- spec.initContainers[*].securityContext.seLinuxOptions.user
- spec.ephemeralContainers[*].securityContext.seLinuxOptions.user
- spec.securityContext.seLinuxOptions.role
- spec.containers[*].securityContext.seLinuxOptions.role
- spec.initContainers[*].securityContext.seLinuxOptions.role
- spec.ephemeralContainers[*].securityContext.seLinuxOptions.role
Allowed Values
- Undefined/""
ISSUE TYPE
[ ] Bug Report
[x] Feature Idea
BUG REPORT
SUMMARY
Follow best practices and latest security recommendations
FEATURE IDEA
[ ] If the maintainers agree with the feature as described here, I intend to submit a Pull Request myself.1
Proposal:
1This is the quickest way to get a new feature! We reserve the right to close feature requests, even ones we like, if the proposer does not intend to contribute to the feature and it doesn't fit in our current roadmap.
Going through Kubernetes pod security standards, it seem it'd be desirable to audit custom SELinux user or role.
ISSUE TYPE
BUG REPORT
SUMMARY
Follow best practices and latest security recommendations
FEATURE IDEA
Proposal:
1 This is the quickest way to get a new feature! We reserve the right to close feature requests, even ones we like, if the proposer does not intend to contribute to the feature and it doesn't fit in our current roadmap.