Business Problem:

Provide better runtime execution security by defining explicitly what is allowed to run (execute bit) inside a given container, perhaps by a pod spec annotation or other configuration option.

Use Cases:

_On all container runtimes in production environments.
_

Key Functionality:

_Originally on reviewing the ability to block certain concerning binaries, such as the following:
_

https://github.com/stackrox/stackrox/blob/72b70d6fc6dcf9fef46ec7126981bd00db2dc728/central/risk/multipliers/image/risky_component.go#L30

https://github.com/stackrox/stackrox/blob/72b70d6fc6dcf9fef46ec7126981bd00db2dc728/pkg/defaults/policies/files/exec-netcat.json#L3

We wanted a quick an simple way to extend this list to add more binaries than the default.

However, on further thought, we decided it would be more secure to allow developers for an application to define known processes that should be allowed, while denying all others.  E.G. Allow: "java","/bin/tar","/bin/gzip","/bin/gunzip"

 __ 

Benefits:

_This transfers responsibility to the development teams to define what they know to be required for the application to run correctly.  All other process executions would be blocked as unexpected, unplanned, unknown. 
_ 

Acceptance criteria:

_Attempts to run binaries found in the container that are not defined as strictly required by an application development team fail to execute. 
_ 

Implementation Suggestions (optional):

• Integration: [Specify any existing systems or tools that the new feature should integrate with]

• Dependencies: [Describe any dependencies on other 3rd party integrations or OCP components] 

• User Experience: [Provide suggestions for designing the UI to optimize usability. Highlight other relevant aspects of the user experience ]

Timeline:

[Specify the preferred implementation date or any specific deadlines for the feature implementation]