search

weaveworks / policy-agent

Weaveworks Policy Agent
Mozilla Public License 2.0
31 stars 13 forks source link

Helm chart security compliance #203

Open manuelstein opened 10 months ago

manuelstein commented 10 months ago

Policy-agent deployment should include runAsNonRoot: true: https://github.com/weaveworks/policy-agent/blob/bc4e607fa90daf964367e4c8a81917c8a37fdfb2/helm/templates/agent.yaml#L164

Also, the seccomp profile type is missing, e.g. `spec.securityContext.seccompProfile.type: "RuntimeDefault"

waleedhammam commented 10 months ago

Hey @manuelstein I have a couple of questions

Why do we need it to run as a root ? I think this would give full privileges within the container, potentially allowing them to perform actions that could harm the host system or other containers meanwhile the policy-agent doesn't need host-level access. It doesn't mount any volumes / change network settings .. etc

Also about spec.securityContext.seccompProfile.type: "RuntimeDefault" I think it's by default taking the default profile that applies to the containers that's provided by the container runtime unless there's a custom profile with some security requirements

manuelstein commented 10 months ago

No, the setting is called runAsNonRoot.

Currently, the Helm chart does not comply with https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted

Also, please check the recommendations on the seccompProfile following the link.

waleedhammam commented 10 months ago

Ah read it wrongly, it’s currently using user 1000 (non root). Will revisit the chart 👍