github/polaris
1
0
Fork 0
mirror of https://github.com/FairwindsOps/polaris.git synced 2026-05-09 18:56:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
56bba70ef368cf98dc697d4c9d19e4bf1aa17c8a
polaris/docs/check-documentation/security-capabilities.md
Nick Huanca 75f70352ba Additional Pod Controller Scans (#166) 
**Changes**

- Refactored the way controllers work to be an interface
- Added configurable controllers to include in scans
- Added daemonsets, jobs and cronjobs in scans
- Added `ReplicationController` type controllers to the supported list
- Adjusted logic for failed YAML parsing to bubble up errors
- Added better logic for calculating summaries on cluster wide results
- Relocated responsibilities for counting types into validators vs spreading it around more packages
- Fixed bug where cronjob parsing was using wrong KIND
- Added fixtures for mocking new controller types
- Added example yamls to test scanning files
- Added functions to NamespacedResult(s) to reduce code complexity deep set iterations
- Refactored how results get added to namespacedresults so adding more later is easier
- Minor signature changes for interface implementing structs for controllers
2019-07-31 15:56:27 -06:00

1.9 KiB
Raw Blame History

Security Capabilities

Polaris supports a number of checks to ensure pods are running with a limited set of capabilities. Under security.capabilities, there are error and warning sections indicating the severity of failures for the following checks.

key default description
security.capabilities.error.ifAnyAdded [SYS_ADMIN, NET_ADMIN, ALL] Fails when any of the listed capabilities have been added.
security.capabilities.error.ifAnyAddedBeyond nil Fails when any capabilities have been added beyond the specified list.
security.capabilities.error.ifAnyNotDropped nil Fails when any of the listed capabilities have not been dropped.
security.capabilities.warning.ifAnyAdded nil Fails when any of the listed capabilities have been added.
security.capabilities.warning.ifAnyAddedBeyond [CHOWN, DAC_OVERRIDE, FSETID, FOWNER, MKNOD, NET_RAW, SETGID, SETUID, SETFCAP, SETPCAP, NET_BIND_SERVICE, SYS_CHROOT, KILL,AUDIT_WRITE] Fails when any capabilities have been added beyond the specified list.
security.capabilities.warning.ifAnyNotDropped nil Fails when any of the listed capabilities have not been dropped.

Background

Linux Capabilities allow you to specify privileges for a process at a granular level. The default list of capabilities included with a container are already fairly minimal, but often can be further restricted.

With Kubernetes configuration, these capabilities can be added or removed by adjusting securityContext.capabilities.

Further Reading

Reference in New Issue View Git Blame Copy Permalink