Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hardening to PSA restricted #181

Open
megian opened this issue Nov 9, 2022 · 2 comments
Open

Hardening to PSA restricted #181

megian opened this issue Nov 9, 2022 · 2 comments
Assignees
@megian
Labels
enhancement New feature or request

Comments

@megian
Copy link
Contributor

megian commented Nov 9, 2022
edited
Loading

Context

With the more growing ability to harden deployments with Pod Security Standards and Pod Security Admission, Keycloak as a security component should use all the capabilities to prevent security flaws.

parameters:
  keycloak:
    namespaceLabels:
      pod-security.kubernetes.io/audit: restricted
      pod-security.kubernetes.io/enforce: restricted
      pod-security.kubernetes.io/warn: restricted

Keycloak and Bitnami Postgres currently do work in a fully restricted mode. However k8up doing to Bitnami Postgres backup, is currently not able to set the container securityContext. See k8up-io/k8up#584.

Currently the baseline mode does work:

parameters:
  keycloak:
    namespaceLabels:
      pod-security.kubernetes.io/audit: baseline
      pod-security.kubernetes.io/enforce: baseline
      pod-security.kubernetes.io/warn: restricted

Alternatives

  • None
@megian megian added the enhancement New feature or request label Nov 9, 2022
@megian megian self-assigned this Nov 9, 2022
@megian
Copy link
Contributor Author

megian commented Nov 9, 2022 

Warning: existing pods in namespace "test" violate the new PodSecurity enforce level "restricted:latest"
Warning: backup-backup-backup-djm28-jjwxn (and 9 other pods): allowPrivilegeEscalation != false, unrestricted capabilities, runAsNonRoot != true, seccompProfile

@megian
Copy link
Contributor Author

megian commented May 15, 2024

k8up does not support updating the PodSecurity in the container configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@megian megian

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@megian