Helm chart security compliance

[manuelstein]

Policy-agent deployment should include runAsNonRoot: true:

policy-agent/helm/templates/agent.yaml

Line 164 in bc4e607

securityContext:

Also, the seccomp profile type is missing, e.g. `spec.securityContext.seccompProfile.type: "RuntimeDefault"

[waleedhammam]

Hey @manuelstein I have a couple of questions

Why do we need it to run as a root ? I think this would give full privileges within the container, potentially allowing them to perform actions that could harm the host system or other containers meanwhile the policy-agent doesn't need host-level access. It doesn't mount any volumes / change network settings .. etc

Also about spec.securityContext.seccompProfile.type: "RuntimeDefault" I think it's by default taking the default profile that applies to the containers that's provided by the container runtime unless there's a custom profile with some security requirements

[manuelstein]

No, the setting is called runAsNonRoot.

Currently, the Helm chart does not comply with https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted

Also, please check the recommendations on the seccompProfile following the link.

[waleedhammam]

Ah read it wrongly, it’s currently using user 1000 (non root). Will revisit the chart 👍