search

isindir / sops-secrets-operator

Kubernetes SOPS secrets operator
Mozilla Public License 2.0
323 stars 30 forks source link

In security context is capabilities NET_BIND_SERVICE needed? #179

Closed twingate-blee closed 4 months ago

twingate-blee commented 5 months ago

Is the capabilities NET_BIND_SERVICE needed?

To pass the pod security policy

kubectl label --dry-run=server --overwrite ns sops \
   pod-security.kubernetes.io/enforce=restricted \
   pod-security.kubernetes.io/enforce-version=latest

I would like to change the security context to 

    capabilities:
      drop:
        - all

vs

    capabilities:
      drop:
        - all
      add:
        - NET_BIND_SERVICE
isindir commented 4 months ago

@twingate-blee , you can override default values as you want: https://github.com/isindir/sops-secrets-operator/blob/master/chart/helm3/sops-secrets-operator/values.yaml#L170

twingate-blee commented 4 months ago

@isindir Yes I already did that. My question is that is add NET_BIND_SERVICE needed? Will I have any issues with the application if I override the default value and remove it?

isindir commented 4 months ago

@twingate-blee I think the operator does not depend on this setting, I introduced it to cover request for more secure settings for the operator pod.