Fix local docker-compose security settings for stock images
Remove cap_drop: ALL and no-new-privileges from postgres, redis, minio, and minio-init services. These stock images require certain capabilities (SETUID, SETGID, CHOWN) to switch users during initialization. Added KICS exceptions with documentation explaining these are local development only settings - production Kubernetes uses securityContext.
This commit is contained in:
Mondo Diaz
@@ -71,10 +71,6 @@ services:
|
|||||||
networks:
|
networks:
|
||||||
- orchard-network
|
- orchard-network
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
security_opt:
|
|
||||||
- no-new-privileges:true
|
|
||||||
cap_drop:
|
|
||||||
- ALL
|
|
||||||
deploy:
|
deploy:
|
||||||
resources:
|
resources:
|
||||||
limits:
|
limits:
|
||||||
@@ -100,10 +96,6 @@ services:
|
|||||||
networks:
|
networks:
|
||||||
- orchard-network
|
- orchard-network
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
security_opt:
|
|
||||||
- no-new-privileges:true
|
|
||||||
cap_drop:
|
|
||||||
- ALL
|
|
||||||
deploy:
|
deploy:
|
||||||
resources:
|
resources:
|
||||||
limits:
|
limits:
|
||||||
@@ -124,10 +116,6 @@ services:
|
|||||||
"
|
"
|
||||||
networks:
|
networks:
|
||||||
- orchard-network
|
- orchard-network
|
||||||
security_opt:
|
|
||||||
- no-new-privileges:true
|
|
||||||
cap_drop:
|
|
||||||
- ALL
|
|
||||||
deploy:
|
deploy:
|
||||||
resources:
|
resources:
|
||||||
limits:
|
limits:
|
||||||
@@ -149,10 +137,6 @@ services:
|
|||||||
networks:
|
networks:
|
||||||
- orchard-network
|
- orchard-network
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
security_opt:
|
|
||||||
- no-new-privileges:true
|
|
||||||
cap_drop:
|
|
||||||
- ALL
|
|
||||||
deploy:
|
deploy:
|
||||||
resources:
|
resources:
|
||||||
limits:
|
limits:
|
||||||
|
|||||||
20
kics.config
20
kics.config
@@ -23,3 +23,23 @@ exclude-queries:
|
|||||||
# Reason: We intentionally don't pin curl version to get security updates.
|
# Reason: We intentionally don't pin curl version to get security updates.
|
||||||
# This is documented with hadolint ignore comment in Dockerfile.
|
# This is documented with hadolint ignore comment in Dockerfile.
|
||||||
- 965a08d7-ef86-4f14-8792-4a3b2098937e
|
- 965a08d7-ef86-4f14-8792-4a3b2098937e
|
||||||
|
|
||||||
|
# Container Capabilities Unrestricted (MEDIUM)
|
||||||
|
# Reason: LOCAL DEVELOPMENT ONLY. Stock postgres, redis, minio images require
|
||||||
|
# certain capabilities (SETUID, SETGID, CHOWN) to switch users at startup.
|
||||||
|
# cap_drop: ALL breaks these containers. Production Kubernetes deployments
|
||||||
|
# use securityContext with appropriate settings.
|
||||||
|
- ce76b7d0-9e77-464d-b86f-c5c48e03e22d
|
||||||
|
|
||||||
|
# No New Privileges Not Set (HIGH)
|
||||||
|
# Reason: LOCAL DEVELOPMENT ONLY. Stock postgres, redis, minio images need
|
||||||
|
# to escalate privileges during initialization (e.g., postgres switches from
|
||||||
|
# root to postgres user). no-new-privileges:true prevents this and causes
|
||||||
|
# containers to crash. Production Kubernetes deployments handle this via
|
||||||
|
# securityContext.
|
||||||
|
- 27fcc7d6-c49b-46e0-98f1-6c082a6a2750
|
||||||
|
|
||||||
|
# Security Opt Not Set (MEDIUM)
|
||||||
|
# Reason: LOCAL DEVELOPMENT ONLY. Related to above - security_opt is not set
|
||||||
|
# on database services because no-new-privileges breaks them.
|
||||||
|
- 610e266e-6c12-4bca-9925-1ed0cd29742b
|
||||||
|
|||||||
Reference in New Issue
Block a user