Ability to configure container security context
vania-pooh opened this issue · comments
Could be needed in some restricted environments.
Since EKS 1.25, PodSecurePolicy support was removed and PodSecurityAdmission support was added instead. In case of using PodSecurityAdmission we have three levels of restrictions:
- restricted - the most secure
- baseline
- privileged
It makes sense to run browser pods in restricted mode, but for now it is impossible:
➜ kubectl label --dry-run=server --overwrite ns moon-browsers pod-security.kubernetes.io/enforce=restricted
Warning: existing pods in namespace "moon-browsers" violate the new PodSecurity enforce level "restricted:latest"
Warning: microsoftedge-100-0-6c5dbf83-e0b8-43eb-bf60-f1615f34f569: allowPrivilegeEscalation != false, unrestricted capabilities, runAsNonRoot != true, seccompProfile
namespace/skondrashov labeled
2023/10/07 19:32:41 moon-6579f8df58-jnx6l: moon-browsers: microsoftedge-100-0-ea392d85-7e46-404e-9211-5f3f315baa9d: waiting resources: pods "microsoftedge-100-0-ea392d85-7e46-404e-9211-5f3f315baa9d" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "ca-certs", "x-server-init", "browser", "defender", "x-server", "vnc-server" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "ca-certs", "x-server-init", "browser", "defender", "x-server", "vnc-server" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "ca-certs", "x-server-init", "browser", "defender", "x-server", "vnc-server" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "ca-certs", "x-server-init", "browser", "defender", "x-server", "vnc-server" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
That means, we have to configure strict securityContext and seccompProfile. Please, add either ability to configure these parameters in browser set or add a single parameter like useRestrictedMode: true
.