You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Linux bridge: Harden SCC by restricting SELinux context and allowed volume types (#2331)
* linux-bridge, scc: Restrict SELinux context to MustRunAs with spc_t type
Switch the SecurityContextConstraints (SCC) policy from RunAsAny
to MustRunAs for the SELinux context. Additionally, specify the
SELinux type as spc_t to better confine the privileged container.
This strengthens the SELinux policy, ensuring that even privileged
containers are restricted by a specific SELinux type, improving
overall security posture.
Signed-off-by: Ram Lavi <[email protected]>
* linux-bridge, scc: Restrict volumes paths.
Limit the allowed volume types in the SCC to only hostPath,
configMap, and secret, removing the wildcard "*" that allowed
all volume types. This reduces the container's access to only
the required volume types and follows the principle of least
privilege for better security hardening.
Signed-off-by: Ram Lavi <[email protected]>
* linux-bridge, scc: Enable readOnlyRootFilesystem with writable /tmp emptyDir
Harden the linux-bridge DaemonSet by enabling readOnlyRootFilesystem:
true, ensuring that the container's root filesystem is immutable to
enhance security.
Since some system utilities (e.g., bash, cp, sha256sum) may require a
writable /tmp directory, mount an emptyDir at /tmp to provide a writable
scratch space, following container security best practices [0].
Also update the associated SCC to enforce readOnlyRootFilesystem: true
at the policy level.
[0]
https://redhat-best-practices-for-k8s.github.io/guide/#k8s-best-practices-storage:-emptydir
Signed-off-by: Ram Lavi <[email protected]>
---------
Signed-off-by: Ram Lavi <[email protected]>
0 commit comments