Comments (8)
Hi @Socolin, this is considered a best-practice by many security-focused entities. The aim is to provide a buffer in order to avoid conflicts with the host's user table, and this is agreed-upon as a reasonable buffer.
The security perspective is that even with other UIDs, we risk impersonating another user on the host system if the container is compromised. To drastically reduce the probability, configured users should only start from UID 10,000.
Some references:
-
https://cloudogu.com/en/blog/k8s-app-ops-part-3-security-context-1 :
-
https://kubesec.io/basics/containers-securitycontext-runasuser/
from datree.
Thanks for the explanation.
I would have expect this to be handle by namespace, from what I see there is a user namespace in k8s now
https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces
from datree.
Yes, looks like user namespaces will mitigate this security risk, but this feature is only available in v1.25, so this rule is relevant to all earlier versions 👍
from datree.
Is there a way to specify the version used to datree to ignore this warning ?
from datree.
you can just turn off (disable) this rule and this way it will not run:
https://hub.datree.io/dashboard/policies#customizing-a-policy
from datree.
Is there any way to disable this with a file, in like ~/.config/datree/ or something like that to avoid adding annotation on every resources ? I'm using datree without an account (and I would like to avoid having a new secret to manage in the pipeline) so I don't have acces to this UI
from datree.
Hi @Socolin
You can skip a certain rule by adding the cli skip annotation. Here's a link to the docs: https://hub.datree.io/configuration/behavior#skip-specific-rules-for-a-single-object
from datree.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
from datree.
Related Issues (20)
- Dashboard login giving error in verifying token. HOT 7
- Datree installation fails in Minikube due to insufficient cpu HOT 3
- Datree Support for SOPS or ability to skip files where "sops" is contained HOT 5
- Datree installation is failing HOT 1
- could not find schema for PodDisruptionBudget HOT 2
- k8s object names are not displayed during datree kustomize test schema validation HOT 3
- datree fails with yaml anchors on linux HOT 4
- Datree update causing validation errors on non-existent fields in deployment files HOT 2
- Cannot use Policy as code from CLI HOT 12
- Error messages logged to stdout instead of stderr break Json and Yaml output formats HOT 1
- Fail to evaluate custom rule with Rego HOT 3
- showing container name in addition of array index.
- Support skipping on a single container
- Disable some of built-in rules? HOT 1
- Add optional rule to lint kubernetes resource names
- CIS_INVALID_VALUE_SECCOMP_PROFILE Is reporting error when it should not HOT 4
- documentation link is not working properly
- Datree outage? HOT 4
- get.datree.io is down HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from datree.