Following table lists the issues and some recommendations when you are deploying IBM Sterling
Control Center in a containerized environment:
| Issue |
Recommendation |
User can configure the UID/GID of the ccuser during deployment. This UID/GID
can be mapped to any known user on the host system where these directories are mounted. |
Users need to make sure the UID/GID values specified during deployment map to a secure
special userid. |
| Attacker can use scanner to identify the current version of the Kubernetes cluster and might
use the disclosed information to identify security vulnerabilities which can be exploited. |
Disable *--enable-debugging-handlers*kubelet flag. |
| Secrets are, by default, stored as unencrypted base64-encoded strings. Base64 is not an
encryption method and is considered the same as plain text. If secrets are exposed to the incorrect
parties, then attacker may misuse the leaked secrets. |
- Secret should be removed if not used after successful deployment.
- Enable
etcd for cluster to provide additional layer of security.
- Enable or configure RBAC rules that restrict reading and writing the Secret. Be aware that
secrets can be obtained implicitly by anyone with the permission to create a Pod.
- If required opt for third party secret management tools.
|