Skip to content

ASM-17961: mirror strict security hardening in docker-compose POC stack.#25

Open
Hanan-Akeyless wants to merge 2 commits into
mainfrom
ASM-17961-sra-cluster-hardening-compose
Open

ASM-17961: mirror strict security hardening in docker-compose POC stack.#25
Hanan-Akeyless wants to merge 2 commits into
mainfrom
ASM-17961-sra-cluster-hardening-compose

Conversation

@Hanan-Akeyless

@Hanan-Akeyless Hanan-Akeyless commented May 20, 2026

Copy link
Copy Markdown

Apply non-root user, cap drops, and resource limits for gateway and web; replace SSH privileged mode with the documented Phase A capability set.

Summary by CodeRabbit

  • Chores
    • Strengthened Docker Compose container security by running services as non-root and enabling no-new-privileges where applicable.
    • Reduced attack surface by dropping all Linux capabilities for the gateway and web services.
    • Added resource limits (memory and CPU) to improve runtime stability.
    • Hardened the SSH service by removing privileged mode and applying capability-based security controls.

Apply non-root user, cap drops, and resource limits for gateway and web;
replace SSH privileged mode with the documented Phase A capability set.

Co-authored-by: Cursor <cursoragent@cursor.com>
@coderabbitai

coderabbitai Bot commented May 20, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4f859ac8-aa2f-4082-a8cd-5069b4032798

📥 Commits

Reviewing files that changed from the base of the PR and between 997d58c and e2272b5.

📒 Files selected for processing (1)
  • docker-compose.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
  • docker-compose.yaml

📝 Walkthrough

Walkthrough

Docker Compose configuration is updated to harden three services. akeyless-gateway and akeyless-web gain non-root execution, dropped capabilities, disabled privilege escalation, and resource limits. akeyless-ssh replaces privileged mode with explicit capabilities and adjusted security options.

Changes

Container Hardening and Resource Management

Layer / File(s) Summary
Gateway and Web service hardening
docker-compose.yaml
akeyless-gateway and akeyless-web receive runtime user restrictions, no-new-privileges:true, cap_drop: [ALL], and mem_limit: 4g plus cpus: "2".
SSH service hardening
docker-compose.yaml
akeyless-ssh removes privileged: true, adds capability-based hardening, and updates security_opt to no-new-privileges:false with explanatory comments.

Estimated code review effort: 2 (Simple) | ~12 minutes

Poem

🐰 I hop past gates with fewer keys,
And lighter loads on memory seas.
The gateway hums, the web stays neat,
While SSH keeps just the caps it needs.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: strengthening security hardening in the docker-compose stack.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ASM-17961-sra-cluster-hardening-compose

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docker-compose.yaml`:
- Around line 130-143: The container currently calls out an explicit cap_add
list but never removes Docker's default capabilities; add a cap_drop: - ALL
entry immediately before the cap_add block to drop all defaults and then re-add
only the listed capabilities (update the existing cap_add section), ensuring the
security_opt no-new-privileges:false line remains unchanged; this enforces the
Phase A allowlist by removing Docker defaults (e.g., AUDIT_WRITE, SETFCAP)
before re-adding SYS_ADMIN, MKNOD, DAC_OVERRIDE, CHOWN, SETUID, SETGID, and
FOWNER.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 16d4aa6a-a277-4430-a6dc-3a5ae8af7b4c

📥 Commits

Reviewing files that changed from the base of the PR and between 425ab1d and 997d58c.

📒 Files selected for processing (1)
  • docker-compose.yaml

Comment thread docker-compose.yaml
Comment on lines +130 to +143
# Phase A hardening: narrow capabilities (no privileged)
# Still runs as root - documented exception required for Kyverno
# Phase B (separate epic) will refactor to non-root
cap_add:
- SYS_ADMIN # Required for mount --bind /dev/pts
- MKNOD # Required for mknod device nodes in jail
- DAC_OVERRIDE # Required for adduser/deluser/jail permissions
- CHOWN # Required by adduser + chroot setup
- SETUID # Required by adduser + chroot setup
- SETGID # Required by adduser + chroot setup
- FOWNER # Required by adduser + chroot setup
security_opt:
# allowPrivilegeEscalation must be true for mount --bind to work
- no-new-privileges:false

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

In Docker / Docker Compose, when a container sets cap_addwithoutcap_drop: [ALL], does it still retain Docker's default Linux capabilities? Please cite Docker's documentation for the default capability behavior and list.

💡 Result:

Yes. If you set cap_add without dropping Docker’s default set (i.e., no cap_drop: ["ALL"]), the container retains Docker’s default retained Linux capabilities, and Docker then adds the capabilities you specified via cap_add on top. Docker only removes those defaults when you explicitly drop them with cap_drop: ["ALL"]. [1][2] Docker documentation for the default capability behavior 1) Docker applies a built-in “default list of capabilities that are kept,” and it provides knobs to add/drop additional Linux capabilities. [2][1] 2) The Docker “Running containers” docs state that, by default, Docker keeps a capability set and provides a table of “capability options which are allowed by default and can be dropped,” plus a separate table for capabilities that “are not granted by default and may be added.” [2] Docker’s documented list: capabilities allowed by default (examples from the table) From the “allowed by default and can be dropped” table in Docker’s docs, the default retained capability set includes at least: AUDIT_WRITE, DAC_OVERRIDE, FOWNER, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT, CAP_CHOWN, CAP_KILL, NET_BIND_SERVICE (and others listed in that same table). [2] How this answers your specific Compose question - cap_add only (no cap_drop: ["ALL"]) => you get the default Docker retained capabilities plus your additional cap_add capabilities. [1][2] - cap_drop: ["ALL"] => Docker removes the default retained capabilities and leaves you with only the capabilities you add via cap_add (if any). [2][1] Compose note: Docker Compose uses the same capability controls conceptually (cap_add / cap_drop) as the Docker engine options described in Docker’s docs. [3]

Citations:


Add cap_drop: [ALL] to enforce the Phase A capability allowlist.

Without dropping Docker's default capabilities first, this container retains Docker's default set (including AUDIT_WRITE, SETFCAP, SETPCAP, KILL, NET_BIND_SERVICE, and others) in addition to the capabilities you explicitly add. This means the actual capability set is broader than the documented Phase A hardening list. To enforce the intended Phase A allowlist, you must drop all defaults before re-adding only what's needed.

Suggested change
     # Phase A hardening: narrow capabilities (no privileged)
     # Still runs as root - documented exception required for Kyverno
     # Phase B (separate epic) will refactor to non-root
+    cap_drop:
+      - ALL
     cap_add:
       - SYS_ADMIN      # Required for mount --bind /dev/pts
       - MKNOD          # Required for mknod device nodes in jail
       - DAC_OVERRIDE   # Required for adduser/deluser/jail permissions
       - CHOWN          # Required by adduser + chroot setup
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# Phase A hardening: narrow capabilities (no privileged)
# Still runs as root - documented exception required for Kyverno
# Phase B (separate epic) will refactor to non-root
cap_add:
- SYS_ADMIN # Required for mount --bind /dev/pts
- MKNOD # Required for mknod device nodes in jail
- DAC_OVERRIDE # Required for adduser/deluser/jail permissions
- CHOWN # Required by adduser + chroot setup
- SETUID # Required by adduser + chroot setup
- SETGID # Required by adduser + chroot setup
- FOWNER # Required by adduser + chroot setup
security_opt:
# allowPrivilegeEscalation must be true for mount --bind to work
- no-new-privileges:false
# Phase A hardening: narrow capabilities (no privileged)
# Still runs as root - documented exception required for Kyverno
# Phase B (separate epic) will refactor to non-root
cap_drop:
- ALL
cap_add:
- SYS_ADMIN # Required for mount --bind /dev/pts
- MKNOD # Required for mknod device nodes in jail
- DAC_OVERRIDE # Required for adduser/deluser/jail permissions
- CHOWN # Required by adduser + chroot setup
- SETUID # Required by adduser + chroot setup
- SETGID # Required by adduser + chroot setup
- FOWNER # Required by adduser + chroot setup
security_opt:
# allowPrivilegeEscalation must be true for mount --bind to work
- no-new-privileges:false
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docker-compose.yaml` around lines 130 - 143, The container currently calls
out an explicit cap_add list but never removes Docker's default capabilities;
add a cap_drop: - ALL entry immediately before the cap_add block to drop all
defaults and then re-add only the listed capabilities (update the existing
cap_add section), ensuring the security_opt no-new-privileges:false line remains
unchanged; this enforces the Phase A allowlist by removing Docker defaults
(e.g., AUDIT_WRITE, SETFCAP) before re-adding SYS_ADMIN, MKNOD, DAC_OVERRIDE,
CHOWN, SETUID, SETGID, and FOWNER.

add missing caps to ssh
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant