andrewhowdencom
commented
7 years ago After some thinking, I'm not sure this makes sense. It's the sort of thing that seccomp is better for
Closed andrewhowdencom closed 7 years ago
andrewhowdencom
commented
7 years ago After some thinking, I'm not sure this makes sense. It's the sort of thing that seccomp is better for
Kubernetes allows us to drop capabilities. We should drop everything by default, and only allow what's required.
https://kubernetes.io/docs/concepts/policy/container-capabilities/
Do this by creating and consuming a pod security policy context
https://kubernetes.io/docs/concepts/policy/pod-security-policy/#strategies