Open manuelstein opened 10 months ago
Hey @manuelstein I have a couple of questions
Why do we need it to run as a root ? I think this would give full privileges within the container, potentially allowing them to perform actions that could harm the host system or other containers meanwhile the policy-agent doesn't need host-level access. It doesn't mount any volumes / change network settings .. etc
Also about spec.securityContext.seccompProfile.type: "RuntimeDefault"
I think it's by default taking the default profile that applies to the containers that's provided by the container runtime unless there's a custom profile with some security requirements
No, the setting is called runAsNonRoot.
Currently, the Helm chart does not comply with https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
Also, please check the recommendations on the seccompProfile following the link.
Ah read it wrongly, it’s currently using user 1000 (non root). Will revisit the chart 👍
Policy-agent deployment should include
runAsNonRoot: true
: https://github.com/weaveworks/policy-agent/blob/bc4e607fa90daf964367e4c8a81917c8a37fdfb2/helm/templates/agent.yaml#L164Also, the seccomp profile type is missing, e.g. `spec.securityContext.seccompProfile.type: "RuntimeDefault"