mervincm
Contributor
- Joined
- Mar 21, 2014
- Messages
- 157
I see fairly extensive recommendations for this, but is this not a fundamentally dangerous activity?
As an example .. We did just see a major security-focused company (Last pass) just experience an existential breach starting with a vulnerability in an external facing (plex) service. If my (plex) pod is running under apps (568) and gets compromised, is that not a path to all data/config that ID has permission to? If I have 20 apps running as 568, that is a whole lot of data/config at risk. If I ran plex under a dedicated ID, one that only has write access to its config PVC, and read to media, that would seem to be a much safer situation.
IX official charts are a bit of an unknown as many of them do not have a configuration item for credentials (ID/Group.) It is not obvious to me what credentials each one runs under.
TrueCharts apps commonly use apps or root as a default. Seems the opposite of a good idea.
As an example .. We did just see a major security-focused company (Last pass) just experience an existential breach starting with a vulnerability in an external facing (plex) service. If my (plex) pod is running under apps (568) and gets compromised, is that not a path to all data/config that ID has permission to? If I have 20 apps running as 568, that is a whole lot of data/config at risk. If I ran plex under a dedicated ID, one that only has write access to its config PVC, and read to media, that would seem to be a much safer situation.
What is Principle of Least Privilege (POLP)? - CrowdStrike
POLP ensures only authorized users whose identity has been verified have the necessary permissions to execute jobs within certain systems, applications, data and other assets.
www.crowdstrike.com
IX official charts are a bit of an unknown as many of them do not have a configuration item for credentials (ID/Group.) It is not obvious to me what credentials each one runs under.
TrueCharts apps commonly use apps or root as a default. Seems the opposite of a good idea.