Skip to content

Forbid container privilege escalations #276

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
vpnachev merged 1 commit into from
Jan 30, 2025
Merged

Forbid container privilege escalations #276

vpnachev merged 1 commit into from
Jan 30, 2025

Conversation

@georgibaltiev
Copy link
Contributor

@georgibaltiev georgibaltiev commented Jan 29, 2025
edited
Loading

What this PR does / why we need it:
This PR sets the securityContext.allowPrivilegeEscalation field to false for every container, which does not have securityContext.Privileged set to true or one of CAP_SYS_ADMIN/SYS_ADMIN capabilities added.

Which issue(s) this PR fixes:
Part of gardener/gardener#11139

Special notes for your reviewer:
cc @AleksandarSavchev

Release note:

Containers, which do not require privilege escalations, now forbid privilege escalations explicitly.

@georgibaltiev georgibaltiev requested a review from a team as a code owner January 29, 2025 12:49
@gardener-robot gardener-robot added needs/review Needs review size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jan 29, 2025
@gardener-robot-ci-3 gardener-robot-ci-3 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jan 29, 2025
@gardener-robot-ci-2 gardener-robot-ci-2 added needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Jan 29, 2025
vpnachev
vpnachev approved these changes Jan 30, 2025
View reviewed changes
Copy link
Member

@vpnachev vpnachev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@vpnachev vpnachev merged commit 1a532ba into gardener:master Jan 30, 2025
9 checks passed
@gardener-robot gardener-robot added reviewed/lgtm Has approval for merging status/closed Issue is closed (either delivered or triaged) and removed needs/review Needs review labels Jan 30, 2025
@gardener-robot-ci-3 gardener-robot-ci-3 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jan 30, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vpnachev vpnachev vpnachev approved these changes

Assignees

No one assigned

Labels

needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) reviewed/lgtm Has approval for merging reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. status/closed Issue is closed (either delivered or triaged)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@georgibaltiev @vpnachev @gardener-robot-ci-2 @gardener-robot-ci-3 @gardener-robot