From 24e549025952e9eb17ab58fe2c1b9db2ac3b857f Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Mon, 4 May 2026 18:31:13 -0700 Subject: [PATCH] =?UTF-8?q?C0:=20review=20CC=20init-container-isolation=20?= =?UTF-8?q?=E2=80=94=20defer=20retirement=20to=20post-ringtail?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Runtime grafana pod matches the manifest and the CC's claim; bumped last-reviewed. Noted that retiring init-chown-data in favor of fsGroup alone should wait until grafana migrates to ringtail's k3s, since the storage backend will change. Co-Authored-By: Claude Opus 4.7 (1M context) --- compensating-controls.yaml | 7 ++++++- .../+review-cc-init-container-isolation.misc.md | 1 + 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 docs/changelog.d/+review-cc-init-container-isolation.misc.md diff --git a/compensating-controls.yaml b/compensating-controls.yaml index a6dbc56..658c99d 100644 --- a/compensating-controls.yaml +++ b/compensating-controls.yaml @@ -129,11 +129,16 @@ controls: containers run as non-root (UID 472) with all capabilities dropped. created: 2026-03-30 - last-reviewed: 2026-03-30 + last-reviewed: 2026-05-04 notes: >- Verify by inspecting grafana deployment.yaml securityContext for both init and runtime containers. If fsGroup alone can handle PVC ownership, remove init-chown-data and this control. + Retirement deferred until grafana lands on ringtail's k3s + (see [[indri-k8s-migration]]) — storage backend will change, + and removing init-chown-data right before that migration + trades a real safety net for marginal cleanup. Revisit + post-migration. - id: node-config-automated-verification description: >- diff --git a/docs/changelog.d/+review-cc-init-container-isolation.misc.md b/docs/changelog.d/+review-cc-init-container-isolation.misc.md new file mode 100644 index 0000000..295e7f8 --- /dev/null +++ b/docs/changelog.d/+review-cc-init-container-isolation.misc.md @@ -0,0 +1 @@ +Reviewed compensating control `init-container-isolation` (35 days stale). Grafana's running pod matches the manifest and the CC's claim — only `init-chown-data` runs as root with `CHOWN`; runtime containers all run as UID 472 with all caps dropped. Retirement (replacing init-chown-data with `fsGroup` alone) is plausible given the in-tree minikube-hostpath provisioner, but deferred until grafana lands on ringtail's k3s — note added to the CC.