Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Forbid container privilege escalations #960

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Forbid container privilege escalations #960

wants to merge 1 commit into from

Conversation

georgibaltiev
Copy link

How to categorize this PR?

/area security
/area compliance
/kind enhancement
/platform gcp

What this PR does / why we need it:
This PR sets the securityContext.allowPrivilegeEscalation field to false for every container, which does not have securityContext.Privileged set to true or one of CAP_SYS_ADMIN/SYS_ADMIN capabilities added.

Which issue(s) this PR fixes:
Part of gardener/gardener#11139

Special notes for your reviewer:
cc @AleksandarSavchev

Release note:

Containers, which do not require privilege escalations, now forbid privilege escalations explicitly.

@gardener-robot gardener-robot added area/compliance Compliance related area/security Security related kind/enhancement Enhancement, improvement, extension platform/gcp Google cloud platform/infrastructure needs/review Needs review size/xs Size of pull request is tiny (see gardener-robot robot/bots/size.py) labels Feb 5, 2025
@gardener-robot-ci-3 gardener-robot-ci-3 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Feb 5, 2025
@georgibaltiev georgibaltiev marked this pull request as ready for review February 6, 2025 07:12
@georgibaltiev georgibaltiev requested review from a team as code owners February 6, 2025 07:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
area/compliance Compliance related area/security Security related kind/enhancement Enhancement, improvement, extension needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) needs/review Needs review platform/gcp Google cloud platform/infrastructure size/xs Size of pull request is tiny (see gardener-robot robot/bots/size.py)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@georgibaltiev @gardener-robot-ci-3 @gardener-robot