Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Split "Container Security Context" #325

Closed
zegl opened this issue Nov 2, 2020 · 2 comments · Fixed by #326
Closed

Split "Container Security Context" #325

zegl opened this issue Nov 2, 2020 · 2 comments · Fixed by #326
Labels
good first issue Good for newcomers help wanted Extra attention is needed

Comments

@zegl
Copy link
Owner

zegl commented Nov 2, 2020

As shown in #204, there's a need to being able to disable the UID and GID checks of the "Container Security Context" check without disabling the other checks that are made. I'm therefore proposing to split this check into three separate ones:

  • Container Security Context User/Group ID
  • Container Security Context Privileged
  • Container Security Context ReadOnlyRootFilesystem

Keeping all 3+1 versions around would not be desirable, and I'm proposing to use a three setup rollout plan:

  • v1.n: Add the three new checks, using opt-in, and deprecate the existing "Container Security Context" check.
  • v1.n+1: Enable the three new checks by default, mark "Container Security Context" as optional/opt-in.
  • v1.n+2: Remove "Container Security Context".
@zegl zegl mentioned this issue Nov 2, 2020
Closed
@zegl zegl added good first issue Good for newcomers help wanted Extra attention is needed labels Nov 2, 2020
@markuslackner
Copy link

markuslackner commented Nov 3, 2020
edited
Loading

Hi! I would start implementing this feature, if there is not someone else who has already started with implementing.

@zegl
Copy link
Owner Author

zegl commented Nov 3, 2020

@markuslackner I don't know of anyone else that has started to implement this, so feel free to go ahead! 👍

markuslackner pushed a commit to markuslackner/kube-score that referenced this issue Nov 4, 2020
score/security: added optional, splitted probes as future replacemnt …
90aeb84 
…for security context probe

Fixes zegl#325
markuslackner pushed a commit to markuslackner/kube-score that referenced this issue Nov 4, 2020
score/security: added optional, splitted probes as future replacemnt …
5d17b52 
…for security context probe

Fixes zegl#325
markuslackner pushed a commit to markuslackner/kube-score that referenced this issue Nov 4, 2020
score/security: added optional, splitted probes as future replacemnt …
a05e9f2 
…for security context probe

Fixes zegl#325
markuslackner pushed a commit to markuslackner/kube-score that referenced this issue Nov 4, 2020
score/security: added optional, splitted probes as future replacemnt …
8ebcea7 
…for security context probe

Fixes zegl#325
markuslackner pushed a commit to markuslackner/kube-score that referenced this issue Nov 4, 2020
score/security: added optional, splitted probes as future replacemnt …
cf682f4 
…for security context probe

Fixes zegl#325
@markuslackner markuslackner mentioned this issue Nov 4, 2020
Merged
markuslackner pushed a commit to markuslackner/kube-score that referenced this issue Nov 4, 2020
score/security: added optional, splitted probes as future replacemnt …
1134dbe 
…for security context probe

Fixes zegl#325
markuslackner pushed a commit to markuslackner/kube-score that referenced this issue Nov 4, 2020
score/security: added optional, splitted probes as future replacemnt …
daa264e 
…for security context probe

Fixes zegl#325
markuslackner pushed a commit to markuslackner/kube-score that referenced this issue Nov 4, 2020
score/security: added optional, splitted probes as future replacemnt …
5021dea 
…for security context probe

Fixes zegl#325
markuslackner pushed a commit to markuslackner/kube-score that referenced this issue Nov 4, 2020
score/security: added optional, splitted probes as future replacemnt …
10232ea 
…for security context probe

Fixes zegl#325
bors bot added a commit that referenced this issue Nov 7, 2020
@bors
Merge #326
a3ebfd1 
326: score/security: added optional, splitted probes as future replacemnt … r=zegl a=markuslackner

…for security context probe

Fixes #325

```
RELNOTE: container-security-context now deprecated and added optional probes container-security-context-user-group-id, container-security-context-privileged and container-security-context-readonlyrootfilesystem as replacement
```


Co-authored-by: Markus Lackner <[email protected]>
@bors bors bot closed this as completed in 576930c Nov 7, 2020
@bors bors bot closed this as completed in #326 Nov 7, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Good for newcomers help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

score/security: added optional, splitted probes as future replacemnt … markuslackner/kube-score
2 participants
@zegl @markuslackner