Re: #cf seccomp #cf
toggle quoted message Show quoted text
Hi hjinkim - the 'configurable' column in that table actually means whether you can opt in/out of the feature, not whether you can configure it (admittedly that's rather unclear!). Garden enables seccomp by default and does not allow opting out (hence it's marked as false in the configurable column), and there are no plans to change that.
Although the table doesn't show it, it would also be possible - as I think you're suggesting - to allow configuring custom seccomp rules for particular containers. We don't currently have plans to allow that because it would require exposing quite a lot of new complexity to users which would be difficult given the Cloud Foundry UX (we try to hide low-level details from users), and might risk allowing users to ask for less secure rules than we would want. Do you have a particular use case in mind where you would want more configurable rules than the defaults we set out of the box?
On Thu, 29 Nov 2018 at 10:52 <hjinkim@...> wrote: