On 5/4/20 12:51 PM, Trevor Vaughan wrote:
If you're supplying a container, and it needs privileged access to function, then it should be able to bring everything that it needs along with it.
What's the point of 'bundled stuff' otherwise?
It's easy to punt to the OS/Admin but we're trying to make it easier for them instead of having them give up on the whole thing due to complexity.
Believe we agree on the legitimacy of the challenge. Would contend conversation around privileged containers belongs to the container management platform.
eg in the OpenShift world the ability to run a privileged container is defined in a Security Context Constraint for the kubernetes pod. For the OpenShift SCAP content we would evaluate if "allowPrivilegedContainer" is true/false to organizational policy. Has nothing to do with configuration attestation of whatever is running /inside/ the container.
From a workflow perspective a compliance operator would scan the contents of the container image and the configuration of the pod. Behind the scenes this is likely two separate SCAP data streams but the user would only see one bundled scan.