Uploaded image for project: 'OpenShift CFE'
  1. OpenShift CFE
  2. CFE-248 As a security/dev engineer I want to audit and implement the Node Observability Operator so that it complies with “least privilege” when deployed
  3. CFE-377

[R&D] As a developer I need to investigate the use of a custom SCC with a custom selinux setting so that the use of privileged containers could be mitigated

XMLWordPrintable

    • Icon: Sub-task Sub-task
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • None
    • node
    • None
    • False
    • None
    • False
    • CFE Sprint 216, CFE Sprint 217, CFE Sprint 218
    • 0

      Overview

      Use custom SCC associated with an selinux policy without being privilege.

      Investigate using the tool "Udica" creator - Lukas Vrabec (redhat).

      Time box this task to 4 days (max)

       

      Outcome

      From the investigation find out :

      • Is this at all feasible
      • If it is feasible have a recommended work around and how to implement it in the operator code base.
        • Example code etc
      • Create the necessary JIRA story/stories with estimates (high level) of what the effort of work will be and link it to the  Node Observability Epic https://issues.redhat.com/browse/CFE-240
        • Unit tests to be completed and working
        • Update documentation if needed
        • Integration testing (ensure it works on baremetal cluster as well as aws. gcp if time permits)
      • Update the security audit document (mitigation) https://docs.google.com/document/d/1D6Asw-dg1d6oii_ofThZiROnmvOl2XH8b559NnszCtk/edit#
      • Liaise with the security audit team

       

            skhoury@redhat.com Sherine Khoury
            luzuccar@redhat.com Luigi Mario Zuccarelli
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: