blockprivilegedcontainers

package

v0.0.0-...-44dad58 Latest Latest Go to latest Published: Dec 20, 2021 License: Apache-2.0 Imports: 9 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/kubernetes-sigs/multi-tenancy

Links

Open Source Insights

README ¶

Block privileged containers [MTB-PL1-BC-CPI-5]

Profile Applicability:

1

Type:

Behavioral Check

Category:

Control Plane Isolation

Description:

Linux

Rationale:

By default a container is not allowed to access any devices on the host, but a “privileged” container can access all devices on the host. A process within a privileged container can also get unrestricted host access. Hence, tenants should not be allowed to run privileged containers.

Audit:

Create a pod or container that sets privileged to true in its securityContext. The pod creation must fail.

Remediation:

Define a PodSecurityPolicy with privileged set to false and map the policy to each tenant's namespace, or use a policy engine such as OPA/Gatekeeper or Kyverno to prevent tenants from running privileged containers. You can use the policies present here.

namespaceRequired:

1

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

block_privileged_containers.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL