Linux bridge: Harden SCC by restricting SELinux context and allowed volume types #2331
Conversation
Switch the SecurityContextConstraints (SCC) policy from RunAsAny to MustRunAs for the SELinux context. Additionally, specify the SELinux type as spc_t to better confine the privileged container. This strengthens the SELinux policy, ensuring that even privileged containers are restricted by a specific SELinux type, improving overall security posture. Signed-off-by: Ram Lavi <ralavi@redhat.com>
kubevirt-bot
added
release-note
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/hold |
kubevirt-bot
added
the
do-not-merge/hold
🔒 SCC Non-Default Capabilities Review
📚 Sources: |
Limit the allowed volume types in the SCC to only hostPath, configMap, and secret, removing the wildcard "*" that allowed all volume types. This reduces the container's access to only the required volume types and follows the principle of least privilege for better security hardening. Signed-off-by: Ram Lavi <ralavi@redhat.com>
RamLavi
force-pushed
the
linux_brige_reduce_scc
branch
from
f6cc02e to
43b48a6
Compare
…mptyDir Harden the linux-bridge DaemonSet by enabling readOnlyRootFilesystem: true, ensuring that the container's root filesystem is immutable to enhance security. Since some system utilities (e.g., bash, cp, sha256sum) may require a writable /tmp directory, mount an emptyDir at /tmp to provide a writable scratch space, following container security best practices [0]. Also update the associated SCC to enforce readOnlyRootFilesystem: true at the policy level. [0] https://redhat-best-practices-for-k8s.github.io/guide/#k8s-best-practices-storage:-emptydir Signed-off-by: Ram Lavi <ralavi@redhat.com>
RamLavi
force-pushed
the
linux_brige_reduce_scc
branch
from
43b48a6 to
26d5db9
Compare
|
| - name: tmp | ||
| mountPath: /tmp |
There was a problem hiding this comment.
why do we need access to /tmp ? Seems we didn't need it before. Why add it now ?
There was a problem hiding this comment.
From the commit message:
Since some system utilities (e.g., bash, cp, sha256sum) may require a
writable /tmp directory, mount an emptyDir at /tmp to provide a writable
scratch space, following container security best practices [0].
Also update the associated SCC to enforce readOnlyRootFilesystem: true
at the policy level.
[0]
https://redhat-best-practices-for-k8s.github.io/guide/#k8s-best-practices-storage:-emptydir
There was a problem hiding this comment.
IOW, if the files are too big they sometimes write to tmp. To be safe - mount an empty tmp folder, so that it won't explode should some cp decides to use that folder..
|
checked on kcli that linux bridge is properly deployed (used U/S CNAO and /hold cancel |
kubevirt-bot
removed
the
do-not-merge/hold
|
Once we return the DaemonSet of passt this way or another, we will need to do more or less the same there right ? as it also does more or less what linux-bridge container does |
pretty much, yes. All containers should adhere to scc best practices, and it will probably have similar considerations.. |
What this PR does / why we need it:
This pull request improves the security posture of the linux-bridge SecurityContextConstraints (SCC) by introducing two changes:
MustRunAswithspc_ttype.hostPath,configMap, andsecret.Special notes for your reviewer:
To anticipate reviewers request, commented on the PR why I did NOT remove other SCCs.
Release note: