mirror of
https://github.com/FairwindsOps/polaris.git
synced 2026-05-08 18:26:43 +00:00
bd14ab8bc1
* Release 1.0.0 * update deploy files * remove docs for old capabilities * update images * update image * update docs * remove capabilities language * add CLI changes to changelog * reorg changelog
2.1 KiB
2.1 KiB
Security
Polaris supports a number of checks related to security.
| key | default | description |
|---|---|---|
security.hostIPCSet |
danger |
Fails when hostIPC attribute is configured. |
security.hostPIDSet |
danger |
Fails when hostPID attribute is configured. |
security.notReadOnlyRootFilesystem |
warning |
Fails when securityContext.readOnlyRootFilesystem is not true. |
security.privilegeEscalationAllowed |
danger |
Fails when securityContext.allowPrivilegeEscalation is true. |
security.runAsRootAllowed |
danger |
Fails when securityContext.runAsNonRoot is not true. |
security.runAsPrivileged |
danger |
Fails when securityContext.privileged is true. |
security.insecureCapabilities |
warning |
Fails when securityContext.capabilities includes one of the capabilities listed here |
security.dangerousCapabilities |
danger |
Fails when securityContext.capabilities includes one of the capabilities listed here |
Background
Securing workloads in Kubernetes is an important part of overall cluster security. The overall goal should be to ensure that containers are running with as minimal privileges as possible. This includes avoiding privilege escalation, not running containers with a root user, and using read only file systems wherever possible.
Much of this configuration can be found in the securityContext attribute for both Kubernetes pods and containers. Where configuration is available at both a pod and container level, Polaris validates both.