Add SecurityContext options to use linux hardening capabilities

timescale / tobs

tobs - The Observability Stack for Kubernetes. Easy install of a full observability stack into a k8s cluster with Helm charts.

Apache License 2.0

563 stars 59 forks source link

Add SecurityContext options to use linux hardening capabilities #464

Closed paulfantom closed 1 year ago

paulfantom commented 2 years ago

What is missing?

Right now majority of pods are running with default SecurityContext. We should change it to force containers to run confined and use linux hardening capabilities (AppArmor, SELinux, seccomp, etc.)

Why do we need it?

To increase security and prevent issues like CVE-2022-0492 affecting the stack.

Anything else we need to know?: