Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-8895

[Docs] Restrict security context of pods by default

XMLWordPrintable

      The operator pod and the broker pods can run with a safer and restricted security context without issues. Restricting the security context of the pods by default allows to deploy a cluster of brokers also in Kubernetes namespaces with the restricted policy.

      The minimal changes to run the pods in Kubernetes namespaces with the restricted policy:

      • spec.containers[*].securityContext.allowPrivilegeEscalation: false
      • spec.initContainers[*].securityContext.allowPrivilegeEscalation: false
      • spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation: false
      • spec.securityContext.runAsNonRoot: true
      • spec.containers[*].securityContext.runAsNonRoot: true
      • spec.initContainers[*].securityContext.runAsNonRoot: true
      • spec.ephemeralContainers[*].securityContext.runAsNonRoot: true
      • spec.securityContext.seccompProfile.type: RuntimeDefault
      • spec.containers[*].securityContext.seccompProfile.type: RuntimeDefault
      • spec.initContainers[*].securityContext.seccompProfile.type: RuntimeDefault
      • spec.ephemeralContainers[*].securityContext.seccompProfile.type: RuntimeDefault
      • spec.containers[*].securityContext.capabilities.drop: ["ALL"]
      • spec.initContainers[*].securityContext.capabilities.drop: ["ALL"]
      • spec.ephemeralContainers[*].securityContext.capabilities.drop: ["ALL"]

              jcliffor@redhat.com John Clifford
              rh-messaging-ci Messaging CI
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: