mirror of
https://github.com/intel/intel-device-plugins-for-kubernetes.git
synced 2025-06-03 03:59:37 +00:00
7f685b5d89
hostNetwork usage for SGX demo pods is not absolutely necessary so it's better to clean it up and make IAS "security" scanners happier. It was originally used to be able to use "localhost" PCCS but this change now adds an example how proper PCCS url can be configured using jq. Additionally, SGX DCAP Quote Verification is added. Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
28 lines
1.1 KiB
Plaintext
28 lines
1.1 KiB
Plaintext
# Image user should not be ‘root’
|
||
# Running containers with ‘root’ user can lead to a container escape situation.
|
||
# It is a best practice to run containers as non-root users, which can be done by
|
||
# adding # a ‘USER’ statement to the Dockerfile.
|
||
AVD-DS-0002
|
||
|
||
# Privileged containers share namespaces with the host system and do not offer any security.
|
||
# They should be used exclusively for system containers that require high # privileges.
|
||
# initcontainers require privileged access
|
||
AVD-KSV-0017
|
||
|
||
# Do not allow privilege escalation from node proxy
|
||
# Check whether role permits privilege escalation from node proxy
|
||
# gpu plugin in kubelet mode requires "nodes/proxy" resource access
|
||
AVD-KSV-0047
|
||
|
||
# Do not allow update/create of a malicious pod
|
||
# Check whether role permits update/create of a malicious pod
|
||
# device plugin operator requires access to daemonset creation etc.
|
||
AVD-KSV-0048
|
||
|
||
# HostPath present many security risks and as a security practice it is better to avoid critical host paths mounts.
|
||
# Some plugins require access to various host paths
|
||
AVD-KSV-0121
|
||
|
||
# Device plugins do not use any CSIs
|
||
## CVE-2019-11255
|