From b630433aa80c41a7e72dc6a0036c21a1a74a370f Mon Sep 17 00:00:00 2001 From: dandds Date: Tue, 28 Jan 2020 14:10:55 -0500 Subject: [PATCH] Disable container privilege escalation. Per Azure best practice, disable a container's ability to escalate its privileges. https://docs.microsoft.com/en-us/azure/aks/developer-best-practices-pod-security#secure-pod-access-to-resources --- deploy/azure/azure.yml | 8 ++++++++ deploy/azure/crls-sync.yaml | 2 ++ deploy/shared/migration.yaml | 2 ++ 3 files changed, 12 insertions(+) diff --git a/deploy/azure/azure.yml b/deploy/azure/azure.yml index f988d5fc..d58f77a7 100644 --- a/deploy/azure/azure.yml +++ b/deploy/azure/azure.yml @@ -29,6 +29,8 @@ spec: containers: - name: atst image: $CONTAINER_IMAGE + securityContext: + allowPrivilegeEscalation: false env: - name: UWSGI_PROCESSES value: "2" @@ -64,6 +66,8 @@ spec: cpu: 940m - name: nginx image: nginx:alpine + securityContext: + allowPrivilegeEscalation: false ports: - containerPort: 8342 name: main-upgrade @@ -189,6 +193,8 @@ spec: containers: - name: atst-worker image: $CONTAINER_IMAGE + securityContext: + allowPrivilegeEscalation: false args: [ "/opt/atat/atst/.venv/bin/python", @@ -261,6 +267,8 @@ spec: containers: - name: atst-beat image: $CONTAINER_IMAGE + securityContext: + allowPrivilegeEscalation: false args: [ "/opt/atat/atst/.venv/bin/python", diff --git a/deploy/azure/crls-sync.yaml b/deploy/azure/crls-sync.yaml index 5fdcd7b8..221a0d8c 100644 --- a/deploy/azure/crls-sync.yaml +++ b/deploy/azure/crls-sync.yaml @@ -20,6 +20,8 @@ spec: containers: - name: crls image: $CONTAINER_IMAGE + securityContext: + allowPrivilegeEscalation: false command: [ "/bin/sh", "-c" ] diff --git a/deploy/shared/migration.yaml b/deploy/shared/migration.yaml index b5161114..4944aa0c 100644 --- a/deploy/shared/migration.yaml +++ b/deploy/shared/migration.yaml @@ -16,6 +16,8 @@ spec: containers: - name: migration image: $CONTAINER_IMAGE + securityContext: + allowPrivilegeEscalation: false command: [ "/bin/sh", "-c" ]