Che plugin container security spec
See original GitHub issueSummary
Hi, I am currently looking into creating a chePlugin which requires a custom container with the IPC_LOCK security context set. The current chePlugin specification does not expose any container security configuration. I think we can work around the current state by instead using a type: kubernetes
component block in the our stack’s devfile, however, handling this in the chePlugin
YAML spec would be ideal.
Are there any plans to add container security configuration to the chePlugin YAML spec?
Issue Analytics
- State:
- Created 4 years ago
- Comments:8 (5 by maintainers)
Top Results From Across the Web
Introduction to Eclipse Che :: Eclipse Che Documentation
Plug-ins are isolated and provide their own dependencies packaged in containers. Stacks to create pre-configured Che workspaces with a dedicated set of tools....
Read more >Chapter 3. Configuring OpenShift Dev Spaces
spec. A Kubernetes Image Puller spec to configure the image puller in the CheCluster. ... is mounted into all workspace containers including plugin...
Read more >Qualys Container Scanning Connector for Jenkins
Qualys Container Security provides a plugin for Jenkins to get the security posture for the docker images built via the tool. The plugin...
Read more >Container Scanning - GitLab Docs
All vulnerabilities with CVE IDs: CVE-2019-8696, CVE-2014-8166, CVE-2017-18248. All vulnerabilities found in the registry.gitlab.com/gitlab-org/security- ...
Read more >Cannot deploy Theia plugin on Che with sidecar container
I am trying to deploy a custom Theia plugin on a Che workspace. ... "2021-04-27" category: Other spec: containers: - image: ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
I agree generalized privileged escalation is a security risk.
I didn’t specify this well in my initial question, but I’m interested in specific security capabilities, not general privilege escalation. I don’t know enough about Linux capabilities to determine if they’re an equal security risk to the general escalation case, or if some subset would be allowable.
And to bring my question to the real use case - we have a plugin which stores encrypted credentials, and we use
keytar
for that. The gnome-keyring daemon underpinning keytar requiresIPC_LOCK
to prevent credentials being paged off to disk.Issues go stale after
180
days of inactivity.lifecycle/stale
issues rot after an additional7
days of inactivity and eventually close.Mark the issue as fresh with
/remove-lifecycle stale
in a new comment.If this issue is safe to close now please do so.
Moderators: Add
lifecycle/frozen
label to avoid stale mode.