search

envoyproxy / gateway

Manages Envoy Proxy as a Standalone or Kubernetes-based Application Gateway
https://gateway.envoyproxy.io
Apache License 2.0
1.55k stars 333 forks source link

set user group and user id for the default SecurityContext #4313

Closed zhaohuabing closed 4 days ago

zhaohuabing commented 5 days ago

This PR sets the user group and user id for the default SecurityContext to harden EG deployment. This is recommended by some security frameworks and usually checked by security scanning tools.

Reference: https://hub.armosec.io/docs/c-0013 Related: https://github.com/envoyproxy/gateway/pull/3940

codecov[bot] commented 5 days ago

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 65.76%. Comparing base (7a9556a) to head (cb02506). Report is 8 commits behind head on main.

Additional details and impacted files ```diff @@ Coverage Diff @@ ## main #4313 +/- ## ========================================== - Coverage 65.82% 65.76% -0.07% ========================================== Files 197 197 Lines 23763 23767 +4 ========================================== - Hits 15642 15630 -12 - Misses 7006 7018 +12 - Partials 1115 1119 +4 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

arkodg commented 5 days ago

isnt this already baked into the image / distroless ?

zhaohuabing commented 4 days ago

isnt this already baked into the image / distroless ?

Yes. This PR just explicitly sets the userID and GroupID in the container's SecurityContext. This is recommended by some security frameworks and is checked by security scanning tools, eg, https://hub.armosec.io/docs/c-0013