Security Vulnerabilities reported in Otel container

[kalpesh6331]

Description

We are using Otel in our application for tracing purposes As part of our CIS standards, we have run Prisma Cloud container security scan which has reported following vulnerabilities

We would like to know if these can be fixed or already fixed in any future releases If it is fixed via configuration (changes in helm values), would it affect any functionality or working of Otel? Please note that it is a self baked helm chart we are using to deploy Otel

Vulnerabilities:

• Mount container's root filesystem as read only
• Do not disable default seccomp profile
• Restrict container from acquiring additional privileges
• Use PIDs cgroup limit

[TylerHelmuth]

@kalpesh6331 what collector image are you using? As this isn't specific to the helm chart I'll move the issue to the appropriate repository once I know what image you're using.

[povilasv]

I think we can restrict some these in the actual helm chart?

Here is an example I found for read only root filesystem and allowPrivillegeEscalation:

apiVersion: v1
kind: Pod
metadata:
  name: webserver
  labels:
    name: webserver
spec:
  containers:
  - name: webserver
    image: nginx:alpine
    securityContext:
      readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false

Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

• Use PIDs cgroup limit

This one seems to be configurable on Kubelet side. Ref: https://kubernetes.io/docs/concepts/policy/pid-limiting/

@kalpesh6331 are you available to work on this?

[kalpesh6331]

Hi @povilasv Sure, I will raise a PR however, I wanted to know whether implementing the securityContext changes the application behavior? I am hoping there will be no effect on functionality due to this. Could someone please confirm?

[R011y]

Any update on this @kalpesh6331 ?