Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make least-privilege exemptions for ztunnel and install-cni pods #1027

Open
Tracked by #681
mjnagel opened this issue Nov 20, 2024 · 1 comment · May be fixed by #1175
Open
Tracked by #681

Make least-privilege exemptions for ztunnel and install-cni pods #1027

mjnagel opened this issue Nov 20, 2024 · 1 comment · May be fixed by #1175
Assignees
@sgettys
Labels
istio Issues related to istio components / resources security

Comments

@mjnagel
Copy link
Contributor

mjnagel commented Nov 20, 2024

#699 currently has catch-all exemptions for the ztunnel and istio-cni pods. These exemptions should be slimmed down to just what is necessary for running these applications. All exemptions should have adequate descriptions to provide the "why".
This was referenced Nov 20, 2024
Open
Open
@sgettys sgettys self-assigned this Dec 11, 2024
@mjnagel mjnagel mentioned this issue Jan 6, 2025
Draft
5 tasks
@sgettys
Copy link
Contributor

sgettys commented Jan 9, 2025

This is part of the ambient PR the minimum required exemptions for ztunnel and CNI are part of the ambient update to the istio package

@sgettys sgettys linked a pull request Jan 14, 2025 that will close this issue
Open
5 tasks
@mjnagel mjnagel added security istio Issues related to istio components / resources labels Jan 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sgettys sgettys

Labels
istio Issues related to istio components / resources security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: optional istio cni ztunnel component defenseunicorns/uds-core
2 participants
@mjnagel @sgettys