mervincm
Contributor
- Joined
- Mar 21, 2014
- Messages
- 157
I see fairly extensive recommendations for this, but is this not a fundamentally dangerous activity?
As an example .. We did just see a major security-focused company (Last pass) just experience an existential breach starting with a vulnerability in an external facing (plex) service. If my (plex) pod is running under apps (568) and gets compromised, is that not a path to all data/config that ID has permission to? If I have 20 apps running as 568, that is a whole lot of data/config at risk. If I ran plex under a dedicated ID, one that only has write access to its config PVC, and read to media, that would seem to be a much safer situation.
www.crowdstrike.com
IX official charts are a bit of an unknown as many of them do not have a configuration item for credentials (ID/Group.) It is not obvious to me what credentials each one runs under.
TrueCharts apps commonly use apps or root as a default. Seems the opposite of a good idea.
As an example .. We did just see a major security-focused company (Last pass) just experience an existential breach starting with a vulnerability in an external facing (plex) service. If my (plex) pod is running under apps (568) and gets compromised, is that not a path to all data/config that ID has permission to? If I have 20 apps running as 568, that is a whole lot of data/config at risk. If I ran plex under a dedicated ID, one that only has write access to its config PVC, and read to media, that would seem to be a much safer situation.
What is Principle of Least Privilege (POLP)? | CrowdStrike
POLP ensures only authorized users whose identity has been verified have the necessary permissions to execute jobs within certain systems, applications, data and other assets.
IX official charts are a bit of an unknown as many of them do not have a configuration item for credentials (ID/Group.) It is not obvious to me what credentials each one runs under.
TrueCharts apps commonly use apps or root as a default. Seems the opposite of a good idea.
