Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-6071

AllowList process filter on container runtimes

XMLWordPrintable

    • False
    • None
    • False
    • Not Selected

      Business Problem:

      Provide better runtime execution security by defining explicitly what is allowed to run (execute bit) inside a given container, perhaps by a pod spec annotation or other configuration option.

       

      Use Cases:

      _On all container runtimes in production environments.
      _

       

      Key Functionality:

      _Originally on reviewing the ability to block certain concerning binaries, such as the following:
      _

       

      https://github.com/stackrox/stackrox/blob/72b70d6fc6dcf9fef46ec7126981bd00db2dc728/central/risk/multipliers/image/risky_component.go#L30

       

      https://github.com/stackrox/stackrox/blob/72b70d6fc6dcf9fef46ec7126981bd00db2dc728/pkg/defaults/policies/files/exec-netcat.json#L3

      We wanted a quick an simple way to extend this list to add more binaries than the default.

       

      However, on further thought, we decided it would be more secure to allow developers for an application to define known processes that should be allowed, while denying all others.  E.G. Allow: "java","/bin/tar","/bin/gzip","/bin/gunzip"

       __ 

       

      Benefits:

      _This transfers responsibility to the development teams to define what they know to be required for the application to run correctly.  All other process executions would be blocked as unexpected, unplanned, unknown. 

      Acceptance criteria:

      _Attempts to run binaries found in the container that are not defined as strictly required by an application development team fail to execute. 

      Implementation Suggestions (optional):

      • Integration: [Specify any existing systems or tools that the new feature should integrate with]

       

      • Dependencies: [Describe any dependencies on other 3rd party integrations or OCP components] 

       

      • User Experience: [Provide suggestions for designing the UI to optimize usability. Highlight other relevant aspects of the user experience ]

       

      Timeline:

      [Specify the preferred implementation date or any specific deadlines for the feature implementation]

       

       

            rh-ee-masimonm Maria Simon Marcos
            rhn-gps-bward Brian Ward
            Anjali Telang, Boaz Michaely, Doron Caspin, JP Jung, Maria Simon Marcos, Shubha Badve
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated: