You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description of the problem/feature request
In addition to it being a best security practice for pods to have runAsUser set to a non-zero value, it is also recommended that the GID, determined by either the runtime default security context or the runAsGroup field, is set to a non-zero value.
Would like to propose either creating a new template/check or extend the existing run-as-non-root template to check against the runAsGroup field.
Description of the existing behavior vs. expected behavior
Below is a snippet of behavior when runAsUser set to 0. Expected behavior would be along similar lines.
$ ./kube-linter lint ~/Documents/kube-linter/pkg/command/lint/testdata/valid-pod.yaml
KubeLinter 0.6.8
/home/user/Documents/kube-linter/pkg/command/lint/testdata/valid-pod.yaml: (object: <no namespace>/homebrew-demo /v1, Kind=Pod) container "homebrew-test" is not set to runAsNonRoot (check: run-as-non-root, remediation: Set runAsUser to a non-zero number and runAsNonRoot to true in your pod or container securityContext. Refer to https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ for details.)
Error: found 1 lint errors
Additional context
Not particularly familiar with Go, but would be glad to take a crack at this.
Just let me know if there's any particular preference to either extend, or create new template, (or any other helpful suggestions/pointers).
The text was updated successfully, but these errors were encountered:
ariyonaty
changed the title
[FEATURE_REQUEST] Expand run-as-non-root template to verify runAsGroup field is nonzero.
[FEATURE_REQUEST] Expand run-as-non-root template to verify runAsGroup field is nonzero.
Mar 17, 2024
Description of the problem/feature request
In addition to it being a best security practice for pods to have
runAsUser
set to a non-zero value, it is also recommended that theGID
, determined by either the runtime default security context or therunAsGroup
field, is set to a non-zero value.Would like to propose either creating a new template/check or extend the existing
run-as-non-root
template to check against therunAsGroup
field.Description of the existing behavior vs. expected behavior
Below is a snippet of behavior when
runAsUser
set to0
. Expected behavior would be along similar lines.Additional context
Not particularly familiar with Go, but would be glad to take a crack at this.
Just let me know if there's any particular preference to either extend, or create new template, (or any other helpful suggestions/pointers).
The text was updated successfully, but these errors were encountered: