search

teamhephy / workflow

Hephy Workflow - An open source fork of Deis Workflow - The open source PaaS for Kubernetes.
MIT License
406 stars 37 forks source link

Setting Capabilities and/or Security Context for App? #56

Open joshuabuildsthings opened 6 years ago

joshuabuildsthings commented 6 years ago

This is a question & potential feature request, not a bug report.

I was wondering if it's possible to set capabilities for apps deployed via Docker at configuration time?

Is the case? If not, is it possible to extend Workflow to support this functionality?

Desired Outcome

Apps built via Docker would respect Kubernetes Security Context settings; such as adding NET_ADMIN capabilities to the container.

joshuabuildsthings commented 5 years ago

@Cryptophobia - Just wanted to check in on this as it's been quite some time without a response.

kingdonb commented 5 years ago

Do you have a good reference document about the subject? I'm not really familiar with security context, is this the same thing as PodSecurityPolicy?

joshuabuildsthings commented 5 years ago

@kingdonb - It is related to PodSecurityPolicy.

https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container https://raw.githubusercontent.com/kubernetes/website/master/content/en/examples/pods/security/security-context-4.yaml

https://kubernetes.io/docs/concepts/policy/pod-security-policy/#capabilities

Basically, what I'm wondering is can the capabilities for an app deployment either at build/deploy time or afterwards via the CLI?

Cryptophobia commented 5 years ago

@joshuabuildsthings , this is very interesting feature request and we have already done some reading about security context settings on pods before this. It would be nice to be able to set these security contexts on pods via the CLI. We are open to pull requests and can prioritize this feature at some point as my team will also be interested in these security context settings per pod. :1st_place_medal:

Basically, what I'm wondering is can the capabilities for an app deployment either at build/deploy time or afterwards via the CLI?

I would think this is something we would prefer to set through the CLI and defined in the hephy-controller as some of these settings will be different per environment.

Some more context: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/