Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

helm chart security fixes for Oasis LMF #895

Open
michael-fehlmann opened this issue Sep 12, 2023 · 1 comment
Open

helm chart security fixes for Oasis LMF #895

michael-fehlmann opened this issue Sep 12, 2023 · 1 comment
Assignees
@sambles
Labels
Enhancement Small improvement or refinement. kubernetes

Comments

@michael-fehlmann
Copy link

michael-fehlmann commented Sep 12, 2023
edited
Loading

Issue Description

In order to fix security issues recognised by our scanning system we would like to request the following changes in Oasis helm charts:

  • Immutable (read-only) root filesystem should be enforced for all containers (each container should have readOnlyRootFilesystem : true and mount volumes if necessary)
  • Disable automounting API credentials (service account or pod level, automountServiceAccountToken: false). If Kubernetes API is needed than it should be explicitly mounted.

Version / Environment information

  • OS / platform / environment used: Kubernetes 1.25+
  • affected Oasis versions: All
@benhayes21 benhayes21 moved this to In Progress in Oasis Dev Team Tasks Oct 18, 2023
@benhayes21 benhayes21 added the Enhancement Small improvement or refinement. label Oct 19, 2023
@sambles
Copy link
Contributor

sambles commented Nov 3, 2023
edited
Loading

To do - Kubernetes API

To do - Immutable root filesystem

Apply Read only (all of filesystem) to

  • oasis-task-controller
  • oasis-server
  • oasis-websocket
  • oasis-worker-controller
  • keycloak
  • flower
  • celery-beat

@sambles sambles linked a pull request Jan 11, 2024 that will close this issue
Feature/895 - helm chart security fixes for OasisPlatform #938
Closed
@benhayes21 benhayes21 assigned sambles and unassigned slashme101 Feb 21, 2024
@sambles sambles moved this from In Progress to Todo in Oasis Dev Team Tasks Mar 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sambles sambles

Labels
Enhancement Small improvement or refinement. kubernetes
Projects
Oasis Dev Team Tasks
Status: Todo
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Feature/895 - helm chart security fixes for OasisPlatform OasisLMF/OasisPlatform
4 participants
@sambles @benhayes21 @slashme101 @michael-fehlmann