Open scholzj opened 1 year ago
While readonlyrootfilesystem
is not on the restricted list, it might also be something to consider.
The Trivy security scanner seems to like it....
allowPrivilegeEscalation: false capabilities: drop:
This is the common list that most operators i have used are using.
Yes please !
I spent some time to configure this.
` podSecurityContext: {}
securityContext: allowPrivilegeEscalation: false capabilities: drop:
Currently, the Helm Chart sets by default no security context, and users who want to set it to something specific can do so through the values options. Ideally, we would want to set the context to match the
restricted
profile by default since Strimzi Cluster Operator runs fine with it and it would follow the principle of giving it the least possible privilege.However, this change is not backwards compatible. this is because while the operator itself can run under these security context rules, it might conflict for many users with their existing rules which might for example enforce some particular user IDs etc. So it would break the Helm chart for them. They would be able to work around it by setting the right values when installing the Helm Chart. But they would need to be aware of it.
So in the community call on 20.4.2023, we decided to postpone it for a release with other major changes. E.g. the
1.0.0
which would likely also bring the CRD changes and many other things which would require the user's attention. This decision was taken as part of the discussion about #8417 which it replaces.