File tree Expand file tree Collapse file tree 1 file changed +28
-0
lines changed Expand file tree Collapse file tree 1 file changed +28
-0
lines changed Original file line number Diff line number Diff line change 1+ # Image user should not be ‘root’
2+ # Running containers with ‘root’ user can lead to a container escape situation.
3+ # It is a best practice to run containers as non-root users, which can be done by
4+ # adding # a ‘USER’ statement to the Dockerfile.
5+ AVD-DS-0002
6+
7+ # Privileged containers share namespaces with the host system and do not offer any security.
8+ # They should be used exclusively for system containers that require high # privileges.
9+ # initcontainers require privileged access
10+ AVD-KSV-0017
11+
12+ # Sharing the host’s network namespace permits processes in the pod to communicate with
13+ # processes bound to the host’s loopback adapter.
14+ # sgx single-node demo deployment uses hostNetwork: true to be able to use the default setting for PCCS URL from containers
15+ AVD-KSV-0009
16+
17+ # Do not allow privilege escalation from node proxy
18+ # Check whether role permits privilege escalation from node proxy
19+ # gpu plugin in kubelet mode requires "nodes/proxy" resource access
20+ AVD-KSV-0047
21+
22+ # Do not allow update/create of a malicious pod
23+ # Check whether role permits update/create of a malicious pod
24+ # device plugin operator requires access to daemonset creation etc.
25+ AVD-KSV-0048
26+
27+ # Device plugins do not use any CSIs
28+ ## CVE-2019-11255
You can’t perform that action at this time.
0 commit comments