C0: review operator-managed-pods CC (2026-04-21)
Tailscale operator still defaults to privileged proxy pods with no seccomp profile (issue #7359 open upstream). Control remains valid. Added note about ProxyClass + device plugin remediation path. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
a9ef02a602
commit
0ceafc374d
1 changed files with 7 additions and 2 deletions
|
|
@ -77,11 +77,16 @@ controls:
|
||||||
operator, not user manifests. Operator is tracked in
|
operator, not user manifests. Operator is tracked in
|
||||||
service-versions.yaml and regularly updated.
|
service-versions.yaml and regularly updated.
|
||||||
created: 2026-03-30
|
created: 2026-03-30
|
||||||
last-reviewed: 2026-03-30
|
last-reviewed: 2026-04-21
|
||||||
notes: >-
|
notes: >-
|
||||||
Verify operator version is current via 'mise run service-review'.
|
Verify operator version is current via 'mise run service-review'.
|
||||||
Check Tailscale changelog for security fixes. If operator adds
|
Check Tailscale changelog for security fixes. If operator adds
|
||||||
seccomp support, remove these mutes.
|
seccomp support, remove these mutes. As of 2026-04-21: still no
|
||||||
|
default seccomp on operator-generated pods (upstream issue #7359
|
||||||
|
open). A ProxyClass + generic device plugin can downgrade proxies
|
||||||
|
from privileged to NET_ADMIN+NET_RAW and set seccompProfile —
|
||||||
|
potential future remediation to remove the seccomp mute without
|
||||||
|
waiting for upstream defaults.
|
||||||
|
|
||||||
- id: ephemeral-privileged-jobs
|
- id: ephemeral-privileged-jobs
|
||||||
description: >-
|
description: >-
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue