ASM-17961: mirror strict security hardening in docker-compose POC stack.#25
ASM-17961: mirror strict security hardening in docker-compose POC stack.#25Hanan-Akeyless wants to merge 2 commits into
Conversation
Apply non-root user, cap drops, and resource limits for gateway and web; replace SSH privileged mode with the documented Phase A capability set. Co-authored-by: Cursor <cursoragent@cursor.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughDocker Compose configuration is updated to harden three services. ChangesContainer Hardening and Resource Management
Estimated code review effort: 2 (Simple) | ~12 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docker-compose.yaml`:
- Around line 130-143: The container currently calls out an explicit cap_add
list but never removes Docker's default capabilities; add a cap_drop: - ALL
entry immediately before the cap_add block to drop all defaults and then re-add
only the listed capabilities (update the existing cap_add section), ensuring the
security_opt no-new-privileges:false line remains unchanged; this enforces the
Phase A allowlist by removing Docker defaults (e.g., AUDIT_WRITE, SETFCAP)
before re-adding SYS_ADMIN, MKNOD, DAC_OVERRIDE, CHOWN, SETUID, SETGID, and
FOWNER.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 16d4aa6a-a277-4430-a6dc-3a5ae8af7b4c
📒 Files selected for processing (1)
docker-compose.yaml
| # Phase A hardening: narrow capabilities (no privileged) | ||
| # Still runs as root - documented exception required for Kyverno | ||
| # Phase B (separate epic) will refactor to non-root | ||
| cap_add: | ||
| - SYS_ADMIN # Required for mount --bind /dev/pts | ||
| - MKNOD # Required for mknod device nodes in jail | ||
| - DAC_OVERRIDE # Required for adduser/deluser/jail permissions | ||
| - CHOWN # Required by adduser + chroot setup | ||
| - SETUID # Required by adduser + chroot setup | ||
| - SETGID # Required by adduser + chroot setup | ||
| - FOWNER # Required by adduser + chroot setup | ||
| security_opt: | ||
| # allowPrivilegeEscalation must be true for mount --bind to work | ||
| - no-new-privileges:false |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
In Docker / Docker Compose, when a container sets cap_addwithoutcap_drop: [ALL], does it still retain Docker's default Linux capabilities? Please cite Docker's documentation for the default capability behavior and list.
💡 Result:
Yes. If you set cap_add without dropping Docker’s default set (i.e., no cap_drop: ["ALL"]), the container retains Docker’s default retained Linux capabilities, and Docker then adds the capabilities you specified via cap_add on top. Docker only removes those defaults when you explicitly drop them with cap_drop: ["ALL"]. [1][2] Docker documentation for the default capability behavior 1) Docker applies a built-in “default list of capabilities that are kept,” and it provides knobs to add/drop additional Linux capabilities. [2][1] 2) The Docker “Running containers” docs state that, by default, Docker keeps a capability set and provides a table of “capability options which are allowed by default and can be dropped,” plus a separate table for capabilities that “are not granted by default and may be added.” [2] Docker’s documented list: capabilities allowed by default (examples from the table) From the “allowed by default and can be dropped” table in Docker’s docs, the default retained capability set includes at least: AUDIT_WRITE, DAC_OVERRIDE, FOWNER, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT, CAP_CHOWN, CAP_KILL, NET_BIND_SERVICE (and others listed in that same table). [2] How this answers your specific Compose question - cap_add only (no cap_drop: ["ALL"]) => you get the default Docker retained capabilities plus your additional cap_add capabilities. [1][2] - cap_drop: ["ALL"] => Docker removes the default retained capabilities and leaves you with only the capabilities you add via cap_add (if any). [2][1] Compose note: Docker Compose uses the same capability controls conceptually (cap_add / cap_drop) as the Docker engine options described in Docker’s docs. [3]
Citations:
- 1: https://docs.docker.com/reference/cli/docker/container/run
- 2: https://docs.docker.com/engine/containers/run/
- 3: https://github.com/compose-spec/compose-spec/blob/main/spec.md
Add cap_drop: [ALL] to enforce the Phase A capability allowlist.
Without dropping Docker's default capabilities first, this container retains Docker's default set (including AUDIT_WRITE, SETFCAP, SETPCAP, KILL, NET_BIND_SERVICE, and others) in addition to the capabilities you explicitly add. This means the actual capability set is broader than the documented Phase A hardening list. To enforce the intended Phase A allowlist, you must drop all defaults before re-adding only what's needed.
Suggested change
# Phase A hardening: narrow capabilities (no privileged)
# Still runs as root - documented exception required for Kyverno
# Phase B (separate epic) will refactor to non-root
+ cap_drop:
+ - ALL
cap_add:
- SYS_ADMIN # Required for mount --bind /dev/pts
- MKNOD # Required for mknod device nodes in jail
- DAC_OVERRIDE # Required for adduser/deluser/jail permissions
- CHOWN # Required by adduser + chroot setup📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # Phase A hardening: narrow capabilities (no privileged) | |
| # Still runs as root - documented exception required for Kyverno | |
| # Phase B (separate epic) will refactor to non-root | |
| cap_add: | |
| - SYS_ADMIN # Required for mount --bind /dev/pts | |
| - MKNOD # Required for mknod device nodes in jail | |
| - DAC_OVERRIDE # Required for adduser/deluser/jail permissions | |
| - CHOWN # Required by adduser + chroot setup | |
| - SETUID # Required by adduser + chroot setup | |
| - SETGID # Required by adduser + chroot setup | |
| - FOWNER # Required by adduser + chroot setup | |
| security_opt: | |
| # allowPrivilegeEscalation must be true for mount --bind to work | |
| - no-new-privileges:false | |
| # Phase A hardening: narrow capabilities (no privileged) | |
| # Still runs as root - documented exception required for Kyverno | |
| # Phase B (separate epic) will refactor to non-root | |
| cap_drop: | |
| - ALL | |
| cap_add: | |
| - SYS_ADMIN # Required for mount --bind /dev/pts | |
| - MKNOD # Required for mknod device nodes in jail | |
| - DAC_OVERRIDE # Required for adduser/deluser/jail permissions | |
| - CHOWN # Required by adduser + chroot setup | |
| - SETUID # Required by adduser + chroot setup | |
| - SETGID # Required by adduser + chroot setup | |
| - FOWNER # Required by adduser + chroot setup | |
| security_opt: | |
| # allowPrivilegeEscalation must be true for mount --bind to work | |
| - no-new-privileges:false |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docker-compose.yaml` around lines 130 - 143, The container currently calls
out an explicit cap_add list but never removes Docker's default capabilities;
add a cap_drop: - ALL entry immediately before the cap_add block to drop all
defaults and then re-add only the listed capabilities (update the existing
cap_add section), ensuring the security_opt no-new-privileges:false line remains
unchanged; this enforces the Phase A allowlist by removing Docker defaults
(e.g., AUDIT_WRITE, SETFCAP) before re-adding SYS_ADMIN, MKNOD, DAC_OVERRIDE,
CHOWN, SETUID, SETGID, and FOWNER.
add missing caps to ssh
Apply non-root user, cap drops, and resource limits for gateway and web; replace SSH privileged mode with the documented Phase A capability set.
Summary by CodeRabbit
no-new-privilegeswhere applicable.privilegedmode and applying capability-based security controls.