Skip to content
bifrost security

Welkin (Elastisys)

Welkin (formerly known as Compliant Kubernetes) by Elastisys is a compliant Kubernetes platform for regulated industries.

Privileges for bifrost-agent

Welkin employs two systems (PSA and PSP) to restrict what privileges an application can request. See the Welkin documentation for more information.

bifrost-agent requires some privileges to function that is going outside Restricted Pod Security Standard as defined by Kubernetes. Specifically it requires the following:

  • AUDIT_READ, MAC_ADMIN and NET_BROADCAST capabilities
  • Mounting of host path /sys/kernel/security/apparmor

Configuring Welkin for bifrost-agent

Add the following in Welkin config file:

user:
    namespaces:
        - bifrost
    constraints:
        bifrost:
            psaLevel: privileged
            bifrost-agent:
                podSelectorLabels:
                    app.kubernetes.io/name: bifrost-agent
                allow:
                    allowedCapabilities:
                        - AUDIT_READ
                        - MAC_ADMIN
                        - NET_BROADCAST
                    allowedHostPaths:
                        - pathPrefix: /sys/kernel/security/apparmor
                          readOnly: false
                    allowPrivilegeEscalation: true
                    runAsUser:
                        rule: RunAsAny
                    runAsNonRoot: false
                    seccompProfile: RuntimeDefault
                    volumes:
                        - hostPath
                        - configMap
                        - downwardAPI
                        - emptyDir
                        - persistentVolumeClaim
                        - projected
                        - secret

Configure bifrost-agent for Welkin

Disable Kernel Audit System tuning by bifrost-agent by setting Helm chart variable kernelAuditControl: false