Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Che plugin container security spec

See original GitHub issue

Summary

Hi, I am currently looking into creating a chePlugin which requires a custom container with the IPC_LOCK security context set. The current chePlugin specification does not expose any container security configuration. I think we can work around the current state by instead using a type: kubernetes component block in the our stack’s devfile, however, handling this in the chePlugin YAML spec would be ideal.

Are there any plans to add container security configuration to the chePlugin YAML spec?

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:8 (5 by maintainers)

github_iconTop GitHub Comments

1reaction
MarkAckertcommented, Feb 12, 2020

I agree generalized privileged escalation is a security risk.

I didn’t specify this well in my initial question, but I’m interested in specific security capabilities, not general privilege escalation. I don’t know enough about Linux capabilities to determine if they’re an equal security risk to the general escalation case, or if some subset would be allowable.

And to bring my question to the real use case - we have a plugin which stores encrypted credentials, and we use keytar for that. The gnome-keyring daemon underpinning keytar requires IPC_LOCK to prevent credentials being paged off to disk.

0reactions
che-botcommented, Jan 4, 2021

Issues go stale after 180 days of inactivity. lifecycle/stale issues rot after an additional 7 days of inactivity and eventually close.

Mark the issue as fresh with /remove-lifecycle stale in a new comment.

If this issue is safe to close now please do so.

Moderators: Add lifecycle/frozen label to avoid stale mode.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Introduction to Eclipse Che :: Eclipse Che Documentation
Plug-ins are isolated and provide their own dependencies packaged in containers. Stacks to create pre-configured Che workspaces with a dedicated set of tools....
Read more >
Chapter 3. Configuring OpenShift Dev Spaces
spec. A Kubernetes Image Puller spec to configure the image puller in the CheCluster. ... is mounted into all workspace containers including plugin...
Read more >
Qualys Container Scanning Connector for Jenkins
Qualys Container Security provides a plugin for Jenkins to get the security posture for the docker images built via the tool. The plugin...
Read more >
Container Scanning - GitLab Docs
All vulnerabilities with CVE IDs: CVE-2019-8696, CVE-2014-8166, CVE-2017-18248. All vulnerabilities found in the registry.gitlab.com/gitlab-org/security- ...
Read more >
Cannot deploy Theia plugin on Che with sidecar container
I am trying to deploy a custom Theia plugin on a Che workspace. ... "2021-04-27" category: Other spec: containers: - image: ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

chectl inject should support oc CLI

Next page

About dialog is broken