Add allowPrivilegeEscalation to security context configuration in the Kubernetes extension

chapitos commented 2 months ago

Description

Currently it is not possible to set the allowPrivilegeEscalation property of the security context in Kubernetes extension using application properties. Setting this property to false will disable the pod (container) to gain more privilege than the parent process. Many clusters use policy agents which will, per default, hinder the start of the pod with security context with this property not set explicitly to false.

Implementation ideas

Extend the relevant classes to support new property:

io.quarkus.kubernetes.deployment.ApplySecuritySettingsDecorator
io.quarkus.kubernetes.deployment.SecurityContextConfig
integration-tests/kubernetes/quarkus-standard-way/src/test/java/io/quarkus/it/kubernetes/KubernetesWithSecurityContextTest.java

quarkus-bot[bot] commented 2 months ago

/cc @geoand (kubernetes), @iocanel (kubernetes), @radcortez (config), @sberyozkin (security)

geoand commented 2 months ago

@chapitos as you seem to have analyzed what is required, would you like to open a Pull Request with your proposal?

Thanks

quarkusio / quarkus

Add allowPrivilegeEscalation to security context configuration in the Kubernetes extension #42965

Description

Implementation ideas