Skip to content

Security best practices #298

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 14, 2025
Merged

Security best practices #298

merged 1 commit into from
Aug 14, 2025

Conversation

@diogoasouza
Copy link
Contributor

@diogoasouza diogoasouza commented Aug 1, 2025
edited
Loading

Issue #291

@diogoasouza diogoasouza marked this pull request as ready for review August 6, 2025 01:40
@diogoasouza diogoasouza requested a review from a team as a code owner August 6, 2025 01:40
@diogoasouza diogoasouza requested a review from a team August 7, 2025 00:25
macedogm
macedogm reviewed Aug 7, 2025
View reviewed changes
charts/prometheus-federator/values.yaml Outdated
Comment on lines 194 to 196
# capabilities:
# drop:
# - ALL
Copy link
Member

@macedogm macedogm Aug 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question: can't we drop all caps?

charts/prometheus-federator/values.yaml Outdated
Comment on lines 232 to 235
# capabilities:
# drop:
# - ALL
Copy link
Member

@macedogm macedogm Aug 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment as above.

macedogm
macedogm reviewed Aug 7, 2025
View reviewed changes
charts/prometheus-federator/values.yaml Outdated
# capabilities:
# drop:
# - ALL
# privileged: false
Copy link
Member

@macedogm macedogm Aug 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And what about this?

Copy link
Contributor Author

@diogoasouza diogoasouza Aug 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I didn't understand your concern here

Copy link
Member

@macedogm macedogm Aug 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, the comment is about line 197 - # privileged: false, but the UI rendered it as if it was for everything above.
My question is if we can explicitly set it to privileged: false.

Copy link
Contributor Author

@diogoasouza diogoasouza Aug 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it! I changed it to explicitly set the value to false

@diogoasouza diogoasouza force-pushed the security-best-practices branch from f13cf04 to f5f6c93 Compare August 12, 2025 00:01
macedogm
macedogm suggested changes Aug 12, 2025
View reviewed changes
Copy link
Member

@macedogm macedogm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Made a suggestion on a line that I believe was missed. Additionally, can we set?

    capabilities:
      drop:
      - ALL

@diogoasouza diogoasouza force-pushed the security-best-practices branch from f5f6c93 to 40bc06d Compare August 12, 2025 22:40
@diogoasouza diogoasouza requested a review from macedogm August 12, 2025 22:40
macedogm
macedogm suggested changes Aug 13, 2025
View reviewed changes
@jbiers
Copy link
Member

jbiers commented Aug 13, 2025

As @macedogm mentioned, if possible we should drop all capabilities by default. If it disrupts the application flow, then we can at least try dropping as many capabilities as we can by default.

Otherwise LGTM

@diogoasouza diogoasouza force-pushed the security-best-practices branch from 40bc06d to 2b5519a Compare August 14, 2025 00:17
@diogoasouza
Copy link
Contributor Author

diogoasouza commented Aug 14, 2025

@macedogm @jbiers I updated the PR with the requested changes

@diogoasouza diogoasouza merged commit 3e6606b into rancher:main Aug 14, 2025
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mallardduck mallardduck mallardduck approved these changes

+1 more reviewer

@macedogm macedogm macedogm approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@diogoasouza @jbiers @mallardduck @macedogm