Uploaded image for project: 'OpenShift Pipelines'
  1. OpenShift Pipelines
  2. SRVKP-6412

Enforcing Seccomp Profile runtime/default on Pipelines SCC

XMLWordPrintable

    • 3
    • False
    • None
    • False
    • 3
    • Pipelines Sprint TekShift 13

      Story (Required)

      As an OpenShift cluster administrator, I want to enforce the use of the runtime/default seccomp profile on the pipelines SCC to ensure that all pipeline workloads are restricted to a minimal set of system calls. This change will improve the overall security of the workloads without compromising functionality.

       

      Seccomp (secure computing mode) is used to restrict the set of system calls applications can make, allowing cluster administrators greater control over the security of workloads running in the cluster. Kubernetes disables seccomp profiles by default for historical reasons. You should enable it to ensure that the workloads have restricted actions available within the container.

      https://complianceascode.github.io/content-pages/guides/ssg-ocp4-guide-cis.html#xccdf_org.ssgproject.content_rule_accounts_restrict_service_account_tokens

      Background (Required)

      <Describes the context or background related to this story>

      Out of scope

      <Defines what is not included in this story>

      Approach (Required)

      <Description of the general technical path on how to achieve the goal of the story. Include details like json schema, class definitions>

      Dependencies

      <Describes what this story depends on. Dependent Stories and EPICs should be linked to the story.>

      Acceptance Criteria (Mandatory)

      <Describe edge cases to consider when implementing the story and defining tests>

      <Provides a required and minimum list of acceptance tests for this story. More is expected as the engineer implements this story>

      INVEST Checklist

      Dependencies identified

      Blockers noted and expected delivery timelines set

      Design is implementable

      Acceptance criteria agreed upon

      Story estimated

      Legend

      Unknown

      Verified

      Unsatisfied

      Done Checklist

      • Code is completed, reviewed, documented and checked in
      • Unit and integration test automation have been delivered and running cleanly in continuous integration/staging/canary environment
      • Continuous Delivery pipeline(s) is able to proceed with new code included
      • Customer facing documentation, API docs etc. are produced/updated, reviewed and published
      • Acceptance criteria are met

            jkhelil abdeljawed khelil
            jkhelil abdeljawed khelil
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: