Skip to main content
Version: 10.9.x

Configure Security Features

To address the security of the project the console implements the capability of configuring a set of security features provided as pod annotations, pod specs and Security Context.

To better account for the differences between container management systems and compatibilities in the Kubernetes version they provide, these security features are divided in the following attributes:

  • appArmor
  • privilegedPod
  • hostProperties
  • seccompProfile

These functions properties can be configured through the securityFeatures object in the CMS area at Company and Project level.

If the security features are not configured for the projects, the respective attributes are collected at company level.

By default the security features objects sets all of its attributes to true.

caution

If the Security Features are enabled in your project but not all of them are set up, those features that are not configured are automatically set to false.

appArmor

AppArmor is a Linux Security Module that implements Mandatory Access Control since Kubernetes v1.4.

AppArmor annotations set up a profile used by containerd to harden containerized applications to contrain exploitation.

The template for such profile is available on GitHub.

privilegedPod

The privilegedPod property configures the following attributes in a securityContext object:

  • allowPrivilegeEscalation: controls whether a process can gain more privileges than its parent process, this defaults to true when the CAP_SYS_ADMIN capability is enabled or is run as privileged.
  • privileged: controls whether the Pod can run privileged containers.

You can learn more about the Security Context object at the official Kubernetes documentation.

hostProperties

The hostProperties property sets to false the following parameters, these could be used to allow access to shared information and can be used to elevate privileges.

  • hostPID: controls whether containers can share host process namespaces;
  • hostIPC: enables to read the shared memory between processes that communicate with IPC mechanisms;
  • hostNetwork: controls whether containers can use the host network and allows to bypass network policies.

These fields are described in the Pod Security Policies section of the official Kubernetes documentation.

seccompProfile

This property enables the seccompProfile attribute of the Security Context object in order to restrict a Container's syscall.

This feature is available as of Kubernetes v1.19 and you can learn more on the official Kubernetes documentation.