Add default capability drop mutation policy
Feature Request
Why
Dropping capabilities from a pod or container is an excellent way to reduce the attack surface of the container if compromised. Big Bang
by default includes a Kyverno policy that restricts pods from starting when they don't drop ALL capabilities. This is a good policy
and achieves the desired security outcome, but does require all pod (or container) securityContexts to be updated to include this capability
drop, often leading to forking of upstream helm charts when they don't expose this in their values.
Proposed Solution
Similar to the issue of adding a default securityContext to pods, a policy can be written to explicitly add capabilites.drop['ALL'] when
the pod or container does not otherwise specify any capability drops. Unfortunately, unlike that issue, the upstream Kyverno policy repo does
not have an example, so a policy will have to be defined from scratch.
Designs
Is blocked by
- cluster-auditor #128
- holocron #382.49.0
- gitlab-runner #153
- neuvector #169
- vault #1322.49.0
Related merge requests 2
When these merge requests are accepted, this issue will be closed automatically.
Activity
added kindenhancement kyvernoPolicies priority5 teamSecurity & Compliance labels
assigned to @zcallahan
created branch
150-add-default-capability-dropto address this issuementioned in merge request !227 (merged)
added statusreview label
mentioned in merge request big-bang/bigbang!5718 (merged)
marked this issue as blocked by cluster-auditor#128
marked this issue as blocked by holocron#38 (closed)
marked this issue as blocked by gitlab-runner#153 (closed)
marked this issue as blocked by mimir#60 (closed)
marked this issue as blocked by mimir#61 (closed)
marked this issue as blocked by neuvector#169
marked this issue as blocked by vault#132
added statusblocked label and removed statusreview label
closed with merge request big-bang/bigbang!5718 (merged)
mentioned in commit big-bang/bigbang@cc277fbf
removed statusblocked label
