github/polaris
1
0
Fork 0
mirror of https://github.com/FairwindsOps/polaris.git synced 2026-05-19 15:48:00 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
2ac6a2b54029f155f6ca696fbd430b398686241f
polaris/docs/check-documentation/security.md
Robert Brennan 2ac6a2b540 Change error to danger (#299) 
* rename 'error' to 'danger'

* update dashboard

* fix docs

* update deploy configs
2020-05-19 08:41:07 -04:00

1.8 KiB
Raw Blame History

Security

Polaris supports a number of checks related to security.

key default description
security.hostIPCSet danger Fails when hostIPC attribute is configured.
security.hostPIDSet danger Fails when hostPID attribute is configured.
security.notReadOnlyRootFilesystem warning Fails when securityContext.readOnlyRootFilesystem is not true.
security.privilegeEscalationAllowed danger Fails when securityContext.allowPrivilegeEscalation is true.
security.runAsRootAllowed danger Fails when securityContext.runAsNonRoot is not true.
security.runAsPrivileged danger Fails when securityContext.privileged is true.

Security Capabilities

Additional validations are available to ensure pods are running with a limited set of capabilities. More information is available in our Security Capabilities documentation.

Background

Securing workloads in Kubernetes is an important part of overall cluster security. The overall goal should be to ensure that containers are running with as minimal privileges as possible. This includes avoiding privilege escalation, not running containers with a root user, and using read only file systems wherever possible.

Much of this configuration can be found in the securityContext attribute for both Kubernetes pods and containers. Where configuration is available at both a pod and container level, Polaris validates both.

Further Reading

Reference in New Issue View Git Blame Copy Permalink