search

jupyterhub / zero-to-jupyterhub-k8s

Helm Chart & Documentation for deploying JupyterHub on Kubernetes
https://zero-to-jupyterhub.readthedocs.io
Other
1.56k stars 799 forks source link

Security context hardening #3464

Closed lahwaacz closed 3 months ago

lahwaacz commented 4 months ago

This should allow running JupyterHub in a namespace with a restricted security profile according to the Pod Security Standards (assuming an appropriate configuration for the singleuser pods in KubeSpawner).

manics commented 3 months ago

Thanks for the PR! For reference would you mind describing how RuntimeDefault differs from the default seccompProfile, and what default capabilities will be dropped by drop: ["ALL"]? Thanks!

lahwaacz commented 3 months ago

Kubernetes default for seccompProfile is Unconfined (unless the seccompDefault kubelet option is enabled). RuntimeDefault means that the default seccomp profile of the container runtime (e.g. CRI-O or containerd) is used. You can find more details here: https://kubernetes.io/docs/tutorials/security/seccomp/

The default capabilities also depend on the container runtime. For example, CRI-O has CHOWN, DAC_OVERRIDE, FSETID, FOWNER, SETGID , SETUID, SETPCAP, NET_BIND_SERVICE, KILL by default. Docker (and containerd) has more.