external-secrets / kubernetes-external-secrets

Integrate external secret management systems with Kubernetes

MIT License

2.6k stars 404 forks source link

Default securityContext settings #862

Closed gabegorelick closed 2 years ago

gabegorelick commented 2 years ago

780 introduced the ability to set a container securityContext, while pod-level securityContext has been supported since #200. However, only `runAsNonRoot` is enabled by default.

Other settings that should potentially be enabled by default (subject to testing):

runAsUser: 1000
readOnlyRootFilesystem: true
allowPrivilegeEscalation, if no suid binaries are used
Drop unused capabilities

gabegorelick commented 2 years ago

I've been running KES with allowPrivilegeEscalation: false, readOnlyRootFilesystem: true, runAsUser: 1000, and capabilities: {drop: [all]} without any issues.

github-actions[bot] commented 2 years ago

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days.

github-actions[bot] commented 2 years ago

This issue was closed because it has been stalled for 30 days with no activity.

external-secrets / kubernetes-external-secrets

Default securityContext settings #862

780 introduced the ability to set a container securityContext, while pod-level securityContext has been supported since #200. However, only runAsNonRoot is enabled by default.

780 introduced the ability to set a container securityContext, while pod-level securityContext has been supported since #200. However, only `runAsNonRoot` is enabled by default.