Why do the druid-operator need to run in a privileged security context. - Githubissues

datainfrahq / druid-operator

Apache Druid On Kubernetes

Other

101 stars 42 forks source link

Why do the druid-operator need to run in a privileged security context. #178

Open avnes opened 2 months ago

avnes commented 2 months ago

There are four pod defintions that is configured with containerSecurityContext.privileged: true.

Why is this needed? This is clearly a red flag.

https://cheatsheetseries.owasp.org/cheatsheets/Kubernetes_Security_Cheat_Sheet.html#continuously-assess-the-privileges-used-by-containers

containerSecurityContext:
    privileged: true

These are the definitions: https://github.com/datainfrahq/druid-operator/blob/master/e2e/configs/druid-cr.yaml https://github.com/datainfrahq/druid-operator/blob/master/e2e/configs/druid-mmless.yaml https://github.com/datainfrahq/druid-operator/blob/master/tutorials/druid-on-kind/druid-mmless.yaml https://github.com/datainfrahq/druid-operator/blob/master/examples/tiny-cluster-mmless.yaml

AdheipSingh commented 2 months ago

Go ahead and submit a PR ! Thanks for bring this up.