Open chen-keinan opened 10 months ago
@Mo0rBy its true the supplementalGroups setting is not mandatory. however this setting is useful in scenarios where you want to grant a container additional permissions beyond those associated with the primary group.
For example, if you have a Pod that needs access to certain resources or files that are accessible only by a specific group, you can use supplementalGroups to add that group to the container. This way, the container gains the necessary permissions associated with that supplemental group.
If you don't choose to specific this requirements for additional groups, you may not need to set the supplementalGroups
field. It depends on the security and permission requirements of your application and the environment in which it runs.
pss baseline checks are executed by default, you can ignore a specific checks by using exceptions
Ah ok, thank you for the explanation on supplementalGroups
, that makes perfect sense.
Yes, I figured that the pss baseline standards were being followed by default, but I think it would be nice to be able to select which pss standard to use. In the original discussion (which this issue was created from) I used rego policy files to create exceptions as myself and my team are following the pss restricted standards.
I think this is my main issue. By default, the pss baseline standards are used and there is no easy way to select a different pss standard, without creating the rego policy exceptions. It just seems to me as if you need to really get deep into how Trivy works in order to make full use of this feature. This isn't necessarily a bad thing, it's actually been really good for me to understand that Trivy uses this repo to get the rules used during the misconfiguration scans, but I do think it should be easier for Trivy users to select a pss baseline to use, rather then having to create custom exceptions.
@Mo0rBy have you seen Trivy's compliance feature? https://aquasecurity.github.io/trivy/v0.47/docs/compliance/compliance/ Specifically, Kubernetes compliance (including PSS): https://aquasecurity.github.io/trivy/v0.47/docs/target/kubernetes/#compliance
@Mo0rBy have you seen Trivy's compliance feature? https://aquasecurity.github.io/trivy/v0.47/docs/compliance/compliance/ Specifically, Kubernetes compliance (including PSS): https://aquasecurity.github.io/trivy/v0.47/docs/target/kubernetes/#compliance
Yes, I have seen this feature, but this runs against a live Kubernetes cluster, not against Helm charts. We will be using this feature in the future, but we would like to get our scan results from the Helm charts we deploy BEFORE we deploy them. The reports are given to another team to ensure we are meeting best practices etc.
We will probably use the compliance feature in our pre-prod cluster to ensure that our deployments meet the standards, but again, we would like scan our Helm charts for any misconfigurations, before they are deployed.
Discussed in https://github.com/aquasecurity/trivy/discussions/5174