To address the security of the project the console implements the capability of configuring a set of security features provided as pod annotations, pod specs and Security Context.
To better account for the differences between container management systems and compatibilities in the Kubernetes version they provide, these security features are divided in the following attributes:
These functions properties can be configured through the securityFeatures object in the CMS area at Company and Project level.
If the security features are not configured for the projects, the respective attributes are collected at company level.
By default the security features objects sets all of its attributes to
If the Security Features are enabled in your project but not all of them are set up, those features that are not configured are automatically set to
AppArmor is a Linux Security Module that implements Mandatory Access Control since Kubernetes v1.4.
AppArmor annotations set up a profile used by containerd to harden containerized applications to contrain exploitation.
The template for such profile is available on GitHub.
The privilegedPod property configures the following attributes in a
- allowPrivilegeEscalation: controls whether a process can gain more privileges than its parent process, this defaults to true when the
CAP_SYS_ADMINcapability is enabled or is run as privileged.
- privileged: controls whether the Pod can run privileged containers.
You can learn more about the Security Context object at the official Kubernetes documentation.
The hostProperties property sets to
false the following parameters, these could be used to allow access to shared information and can be used to elevate privileges.
- hostPID: controls whether containers can share host process namespaces;
- hostIPC: enables to read the shared memory between processes that communicate with IPC mechanisms;
- hostNetwork: controls whether containers can use the host network and allows to bypass network policies.
These fields are described in the Pod Security Policies section of the official Kubernetes documentation.
This property enables the seccompProfile attribute of the
Security Context object in order to restrict a Container's syscall.
This feature is available as of Kubernetes v1.19 and you can learn more on the official Kubernetes documentation.