Kk nist update3#11441
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
|
||
| #### Non-root Execution, No Privilege Escalation, Locked-down Filesystem | ||
|
|
||
| Mendix app container images are locked down by default — they run as a non-root user, cannot request elevated permissions, and file ownership and permissions prevent modification of system and critical paths. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Mendix.Dashes] Remove spaces around the em dash (—). Or, to set off a list item intro or number range, use an en dash (–) instead.
|
|
||
| Mendix app container images are locked down by default — they run as a non-root user, cannot request elevated permissions, and file ownership and permissions prevent modification of system and critical paths. | ||
|
|
||
| This means any process attempting to execute with elevated privileges or modify protected paths is immediately anomalous — a behavioral signal detectable without signatures. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Mendix.Dashes] Remove spaces around the em dash (—). Or, to set off a list item intro or number range, use an en dash (–) instead.
|
|
||
| For more information, see [Containerized Mendix App Architecture](/developerportal/deploy/private-cloud-cluster/#containerized-mendix-app-architecture). | ||
|
|
||
| ### Read-only Root Filesystem |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Mendix.HeadingTitleCase] Use title case capitalization for 'Read-only Root Filesystem'.
| The Private Mendix Platform operator sets `automountServiceAccountToken: false` on Mendix app pods by default: | ||
|
|
||
|
|
||
| * *`runtimeAutomountServiceAccountToken` — Specify if Mendix app pods should get a Kubernetes Service Account token; defaults to false* |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Mendix.Dashes] Remove spaces around the em dash (—). Or, to set off a list item intro or number range, use an en dash (–) instead.
|
|
||
| * *`runtimeAutomountServiceAccountToken` — Specify if Mendix app pods should get a Kubernetes Service Account token; defaults to false* | ||
|
|
||
| Disabling token automounting prevents a compromised container from using the Kubernetes API to perform lateral movement - a common behaviour-based attack vector. Any API calls from a Private Mendix Platform app pod are therefore anomalous and detectable without needing a signature for the specific malware. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Mendix.AmericanSpelling] Use American English spelling 'behavior' instead of 'behaviour'.
1 participant
No description provided.