k8s 1.23 kubectl debug only allow single type of image - Githubissues

XenitAB / gatekeeper-library

Collection of OPA Gatekeeper policies that can be used in your Kubernetes cluster.

MIT License

14 stars 7 forks source link

k8s 1.23 kubectl debug only allow single type of image #84

Open NissesSenap opened 2 years ago

NissesSenap commented 2 years ago

In k8s 1.23 kubectl debug was introduced. As a part of this we have already added basic rules to make sure that the debug container can't run in privileged mode.

But to make sure that we know exactly witch software that is running in the debug containers we should also limit the image that can be used for a debug pod.

DoD:

Create the image in a good fitting repo with automatic updates etc. and publish it.
Write documentation about the image and how to use the debug container: https://github.com/XenitAB/xenitab.github.io
Write a OPA rule that makes it only possible to run a debug container with this image.