IBM Cloud Private Public Portal

Welcome to the idea portal for IBM Cloud Private (i.e. product feature requests) - A more integrated and automated feedback system to connect your product improvement ideas with IBM product and engineering teams.  Happy submitting!

Make ICAM compliant with PodSecurityPolicy best practices

Currently the PSP (PodSecurityPolicy) in ICAM 3.1.0 does not implement the following best practices, specifically the following:

 

1/ runAsUser rule should be set to "MustRunAsNonRoot"

 runAsUser:
 rule: RunAsAny (MustRunAsNonRoot required)

 

2/ allowPrivilegeEscalation should be set to "false"
 
allowPrivilegeEscalation: true (false required)

 

3/ readOnlyRootFilesystem should be set to "true"
 
readOnlyRootFilesystem: false (true required)

 

This idea intends to fix those gaps in the PSP and maximize the security of ICAM.

 

For reference:

  • Guest
  • Feb 22 2019
  • In Plan
Hybrid Cloud Portfolio Impacted
Who would benefit from this IDEA? As a customer I can install ICAM in ICP with the restricted PSP available as a default in ICP so I can maximize the security of my environment
Name/s of Impacted Customer/s
Why is it useful?
Category
How should it work?
Revenue Opportunity
Submitting Organization
Idea Priority Urgent
Priority Justification
Customer Name
OBDR / Resolution Date
OBDR / Resolution Owner
Owning Segment
Owning Tribe
Submitter Tags
OBDR / Org
OBDR / IOT
OBDR Which offering is this requirement for?
OBDR / Meeting Date
OBDR / Executive Owner/s
OBDR / Target Date
OBDR / Requirement Priority
RFE URL
RFE ID
RFE Created On
RFE Updated On
RFE Support ID
RFE RTC ID
RFE Other ID
  • Attach files
  • Admin
    Bill Stoddard commented
    25 Feb 15:48

    1/ runAsUser rule should be set to "MustRunAsNonRoot"

    runAsUser: rule: RunAsAny (MustRunAsNonRoot required)

    Implemented in 3.1.2 (except if audit is required.  The ICP audit sidecar only runs as root.  This is an ICP limitation.

    2/ allowPrivilegeEscalation should be set to "false" allowPrivilegeEscalation: true (false required)

     Implemented in 3.1.2

    3/ readOnlyRootFilesystem should be set to "true" readOnlyRootFilesystem: false (true required)

     Tentative 2Q deliver

  • Guest commented
    25 Oct 10:22

    Hi Ian / Bill,

    It seems that the readOnlyRootFilesystem=true could not make it for the Q2 delivery.

    When can it be delivered?