Add page on security model / options for Kubernetes

[johnharris85]

Description

As the use of admission and security tools like OPA Gatekeeper, Twistlock, Aqua, etc... becomes more prevalent, there are frequently queries like:

• Does kuma (sidecar/init) need root? If so, why?
• NET_ADMIN and NET_RAW are blocked, can I still run Kuma?
• Can I modify UID/GIDs? What is the impact of this?
• [x] What is the least privilege container/pod security context I can use for Kuma?
• I need to allowlist any secrets/configmaps that are created, where can I find the list?
• I don't want to automount service account tokens, what pattern can I use to avoid this?
• [x] How can I get granular control over the settings of the injected containers (sidecar/init) to tweak security-related settings?
  • ContainerPatch is documented
• [ ] Reorganize newly added/existing docs into new page

We have a number of tools at our disposal to address the above (CNI, containerpatch, etc...) and should have a docs / faq page going through common requirements / scenarios and explaining the solution / workaround. And if there are permissions / privileges that are absolutely required, we should document the scope of them, and why they are required.

Related: https://github.com/kumahq/kuma/issues/4298

[github-actions[bot]]

This issue was inactive for 30 days it will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant please comment on it promptly or attend the next triage meeting.

[github-actions[bot]]

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.

[github-actions[bot]]

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.

[github-actions[bot]]

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.

[slonka]

I think this recently popped up in slack and @bartsmykla with @michaelbeaumont did some digging into this. Can you backfill this issue?

[johnharris85]

Ye we've probably answered / fixed a number of these things since I opened this issue. Maybe we can revisit this and try and get something in the docs for 2.3?

[github-actions[bot]]

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.

[github-actions[bot]]

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.

[github-actions[bot]]

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.

[slonka]

@johnharris85 is this page https://kuma.io/docs/2.6.x/production/#security ok for

Reorganize newly added/existing docs into new page

or did you have something else in mind?

[github-actions[bot]]

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.