Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Helm chart runs containers with higher privilege by default #143

Open
aaguiarz opened this issue Jun 22, 2024 · 1 comment
Open

Helm chart runs containers with higher privilege by default #143

aaguiarz opened this issue Jun 22, 2024 · 1 comment
Labels

Comments

@aaguiarz
Copy link
Member

Could the defaults for all install scripts be set to run the openfga server with limited permissions?

In the case of helm chart, this would achieve:

  • Not running server as root
  • Not allowing privilege escalation
  • Not allowing access to system calls unless required
  • Setting filesystem to readonly
  • Limiting access to mounted filesystems

This would greatly reduce the attack surface area.

@evankanderson
Copy link

It may be worth attempting to run containers under the restricted PodSecurityAdmission level, if possible. While this is not strictly required, it should be enough for most "normal" applications, and represents a substantial threat reduction over the Kubernetes defaults.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

2 participants