Configure terminal pods to adhere to PSS and allow only required capabilities

[dimityrmirchev]

What would you like to be added:
As of now terminal pods do not set much of the Pod Security Standards controls. It would be beneficial if these pods adhere to the PSS as much as possible, i.e. allow only required capabilities. Such configuration would include (non-exhaustive list of settings(Pod Security Context reference)):

• dropping container capabilities and only allowing required capabilities
• running as non root when possible (runAsNonRoot )
• setting the SeccompProfile to RuntimeDefault
• forbid allowPrivilegeEscalation
• set readOnlyRootFilesystem if possible
• consider mounting volumes as readonly if possible

[gardener-ci-robot]

The Gardener project currently lacks enough active contributors to adequately respond to all issues.
This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 60d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 60d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as active with /lifecycle active
• Mark this issue as frozen with /lifecycle frozen
• Mark this issue as fresh with /remove-lifecycle stale
• Mark this issue as rotten with /lifecycle rotten
• Close this issue with /close

/lifecycle stale

[gardener-ci-robot]

The Gardener project currently lacks enough active contributors to adequately respond to all issues.
This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 60d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 60d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as active with /lifecycle active
• Mark this issue as frozen with /lifecycle frozen
• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close

/lifecycle rotten

[gardener-ci-robot]

The Gardener project currently lacks enough active contributors to adequately respond to all issues.
This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 60d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 60d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as active with /lifecycle active
• Mark this issue as frozen with /lifecycle frozen
• Mark this issue as fresh with /remove-lifecycle rotten

/close

[gardener-prow]

@gardener-ci-robot: Closing this issue.

Details

In response to this:

The Gardener project currently lacks enough active contributors to adequately respond to all issues.
This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 60d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 60d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as active with /lifecycle active
• Mark this issue as frozen with /lifecycle frozen
• Mark this issue as fresh with /remove-lifecycle rotten

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[petersutter]

/reopen

TCM should apply least-privilege security defaults for terminal pods where this does not break supported use cases. Even privileged or host-access terminal pods may still have room for hardening, as long as their intended troubleshooting capabilities remain intact.

[gardener-prow]

@petersutter: Reopened this issue.

Details

In response to this:

/reopen

TCM should apply least-privilege security defaults for terminal pods where this does not break supported use cases. Even privileged or host-access terminal pods may still have room for hardening, as long as their intended troubleshooting capabilities remain intact.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.