Uploaded image for project: 'OpenShift Pipelines'
  1. OpenShift Pipelines
  2. SRVKP-6412

Enforcing Seccomp Profile runtime/default on Pipelines SCC

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Won't Do
    • Icon: Normal Normal
    • Pipelines 1.17.0
    • None
    • Operator
    • None
    • 3
    • False
    • None
    • False
    • 3
    • Pipelines Sprint TekShift 13, Pipelines Sprint TekShift 14, Pipelines Sprint TekShift 15

      Story (Required)

      As an OpenShift cluster administrator, I want to enforce the use of the runtime/default seccomp profile on the pipelines SCC to ensure that all pipeline workloads are restricted to a minimal set of system calls. This change will improve the overall security of the workloads without compromising functionality.

       

      Seccomp (secure computing mode) is used to restrict the set of system calls applications can make, allowing cluster administrators greater control over the security of workloads running in the cluster. Kubernetes disables seccomp profiles by default for historical reasons. You should enable it to ensure that the workloads have restricted actions available within the container.

      https://complianceascode.github.io/content-pages/guides/ssg-ocp4-guide-cis.html#xccdf_org.ssgproject.content_rule_accounts_restrict_service_account_tokens

      Background (Required)

      <Describes the context or background related to this story>

      Out of scope

      <Defines what is not included in this story>

      Approach (Required)

      <Description of the general technical path on how to achieve the goal of the story. Include details like json schema, class definitions>

      Dependencies

      <Describes what this story depends on. Dependent Stories and EPICs should be linked to the story.>

      Acceptance Criteria (Mandatory)

      <Describe edge cases to consider when implementing the story and defining tests>

      <Provides a required and minimum list of acceptance tests for this story. More is expected as the engineer implements this story>

      INVEST Checklist

      Dependencies identified

      Blockers noted and expected delivery timelines set

      Design is implementable

      Acceptance criteria agreed upon

      Story estimated

      Legend

      Unknown

      Verified

      Unsatisfied

      Done Checklist

      • Code is completed, reviewed, documented and checked in
      • Unit and integration test automation have been delivered and running cleanly in continuous integration/staging/canary environment
      • Continuous Delivery pipeline(s) is able to proceed with new code included
      • Customer facing documentation, API docs etc. are produced/updated, reviewed and published
      • Acceptance criteria are met

              jkhelil abdeljawed khelil
              jkhelil abdeljawed khelil
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: