2

I run my Spring Boot (Java) application in the Kubernetes environment as a root user and with JMX authentication turned on.

My k8s containers are being flagged as a security risk by the security professionals in my company. Is it really a security risk or just plain old housekeeping?

Will it make a difference if the JMX is unauthenticated?

P.S. I've asked this question in Stack Overflow but didn't get a response that I was looking for.

Indra Basak
  • 121
  • 3
  • Why don't you ask the security professionals in your company why they think it is a risk? It doesn't matter what anyone here thinks - you need to convince **them** and the only way to do that is by understanding their view on the matter. As-is, I think this question is too broad to get a good answer here – Conor Mancone Nov 30 '19 at 01:19
  • @ConorMancone I did ask my company's security professionals. They are feeding me bureaucratic boondoggle. – Indra Basak Nov 30 '19 at 02:25
  • This is broad. Why did they flag it? Was it because they were running as root? How did they want it fixed? Push back on your security team for these details. "I will not make a change unless 1) the risks are explained, and 2) mitigation *options* are explored." – schroeder Nov 30 '19 at 09:25
  • @IndraBasak I had a suspicion that would be the answer. This is a workplace problem, not a security problem. In essence your question is, "I want to do X, but person in charge refuses and won't tell me why". You could try presenting them with a comprehensive explanation of the dangers of Kubernetes and what you have done to mitigate them (aka schroeder's comment) but if the real issue is a general attitude of "I don't want to be bothered" then that won't help and you'll waste a lot of time. – Conor Mancone Nov 30 '19 at 10:35

0 Answers0