Split streams makes sense.
* Inside the container (don't do bad things, pretty easy) * Outside the container (make sure it can't do bad things, harder because of immutability etc...)
On Mon, May 4, 2020 at 1:20 PM Shawn Wells shawn@redhat.com wrote:
On 5/4/20 12:51 PM, Trevor Vaughan wrote:
If you're supplying a container, and it needs privileged access to function, then it should be able to bring everything that it needs along with it.
What's the point of 'bundled stuff' otherwise?
It's easy to punt to the OS/Admin but we're trying to make it easier for them instead of having them give up on the whole thing due to complexity.
Believe we agree on the legitimacy of the challenge. Would contend conversation around privileged containers belongs to the container management platform.
eg in the OpenShift world the ability to run a privileged container is defined in a Security Context Constraint for the kubernetes pod. For the OpenShift SCAP content we would evaluate if "allowPrivilegedContainer" is true/false to organizational policy. Has nothing to do with configuration attestation of whatever is running /inside/ the container.
From a workflow perspective a compliance operator would scan the contents of the container image and the configuration of the pod. Behind the scenes this is likely two separate SCAP data streams but the user would only see one bundled scan. _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...