-
Notifications
You must be signed in to change notification settings - Fork 456
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Run Control Plane components as nonroot
user 65532
#8690
Run Control Plane components as nonroot
user 65532
#8690
Conversation
/cc @dimityrmirchev |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
LGTM label has been added. Git tree hash: 9bb9b3bb5f4c786b63b88a5231f60e65fb01e004
|
Converted to draft in order to research setting |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did you check with HA vpn? In the HA-mode of vpn, there are vpn side-car containers added to kube-apiserver
. Do they also work with this user change?
I have not checked the HA scenarios. I will look into them, if the vpn side-car containers are problematic the easiest fix would be to set their containers to run as |
After validating locally the |
/test pull-gardener-e2e-kind |
1 similar comment
/test pull-gardener-e2e-kind |
/test pull-gardener-e2e-kind-migration |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
LGTM label has been added. Git tree hash: b1930fd5bae2bab580140ff89d8782dfc423ec23
|
RunAsNonRoot: pointer.Bool(false), | ||
RunAsUser: pointer.Int64(0), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What happens when a Pod has a securityContext set at Pod level and then some container overwrite it? Does the container securityContext is considered only or does kubernetes internally merges the container securityContext with the pod securityContext (where container securityContext values take precedence)?
I am asking because if a merge happens under the hood, then the merged securityContext would be
securityContext:
runAsNonRoot: false
runAsUser: 0
runAsGroup: 65532
fsGroup: 65532
which I think is not what we want.
The docs write
Security settings that you specify for a Container apply only to the individual Container, and they override settings made at the Pod level when there is overlap.
but I am not 100% sure.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems that a merge happens under the hood indeed.
A small isolated setup to prove the merge:
- Create the following yaml:
apiVersion: v1
kind: Pod
metadata:
name: alpine
namespace: default
spec:
securityContext:
runAsNonRoot: true
runAsUser: 65532
runAsGroup: 65532
fsGroup: 65532
containers:
- image: alpine:3.13.2
command:
- /bin/sh
- "-c"
- "sleep 60m"
imagePullPolicy: IfNotPresent
name: alpine
securityContext:
runAsNonRoot: false
runAsUser: 0
restartPolicy: Always
- Verify the merge
% k exec -ti alpine -- sh
/ # id
uid=0(root) gid=65532 groups=1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video),65532
Again, maybe this is not what we want? Maybe it is better to move the Pod level securityContext to the kube-apiserver container?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, the Pod's securityContext
setting will be used by every container and only the specified settings will be overridden by the container's securityContext
. It is important to note that fsGroup
can be set only at the Pod level settings so the only question is if we should explicitly set runAsGroup
at the Container level.
I do not think that it is required since we already set root
as the user which grants full permissions on all files in the container.
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dimityrmirchev, ialidzhikov The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
How to categorize this PR?
/area security quality
/kind enhancement
What this PR does / why we need it:
This PR modifies Control Plane components
kube-apiserver
,kube-controller-manager
andkube-scheduler
to run asnonroot
user65532
(id ofnonroot
user indistroless
images ref). The aim of this PR is to adhere to the principles of least privilege and reduce potential attack surface.Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Release note: