github/polaris
1
0
Fork 0
mirror of https://github.com/FairwindsOps/polaris.git synced 2026-05-09 10:47:05 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
ebfb4ea9a106e2dc59a01fd42418470fbf159813
polaris/docs/security-capabilities.md
Rob Scott 287be8e57e a variety of dashboard updates and cleanup
2019-05-14 16:22:39 -04:00

1.9 KiB
Raw Blame History

Security Capabilities

Polaris supports a number of checks to ensure pods are running with a limited set of capabilities. Under security.capabilities, there are error and warning sections indicating the severity of failures for the following checks.

key default description
security.capabilities.error.ifAnyAdded [SYS_ADMIN, NET_ADMIN, ALL] Fails when any of the listed capabilities have been added.
security.capabilities.error.ifAnyAddedBeyond nil Fails when any capabilities have been added beyond the specified list.
security.capabilities.error.ifAnyNotDropped nil Fails when any of the listed capabilities have not been dropped.
security.capabilities.warning.ifAnyAdded nil Fails when any of the listed capabilities have been added.
security.capabilities.warning.ifAnyAddedBeyond [CHOWN, DAC_OVERRIDE, FSETID, FOWNER, MKNOD, NET_RAW, SETGID, SETUID, SETFCAP, SETPCAP, NET_BIND_SERVICE, SYS_CHROOT, KILL,AUDIT_WRITE] Fails when any capabilities have been added beyond the specified list.
security.capabilities.warning.ifAnyNotDropped nil Fails when any of the listed capabilities have not been dropped.

Background

Linux Capabilities allow you to specify privileges for a process at a granular level. The default list of capabilities included with a container are already fairly minimal, but often can be further restricted.

With Kubernetes configuration, these capabilities can be added or removed by adjusting securityContext.capabilities.

Further Reading

Reference in New Issue View Git Blame Copy Permalink