Run Control Plane components as nonroot user 65532
#8690
Conversation
gardener-prow
bot
added
area/security
gardener-prow
bot
added
the
size/S
|
/cc @dimityrmirchev |
|
LGTM label has been added. Git tree hash: 9bb9b3bb5f4c786b63b88a5231f60e65fb01e004
|
gardener-prow
bot
added
the
do-not-merge/work-in-progress
|
Converted to draft in order to research setting |
gardener-prow
bot
added
size/M
gardener-prow
bot
removed
the
do-not-merge/work-in-progress
I have not checked the HA scenarios. I will look into them, if the vpn side-car containers are problematic the easiest fix would be to set their containers to run as |
|
After validating locally the |
|
/test pull-gardener-e2e-kind |
1 similar comment
|
/test pull-gardener-e2e-kind |
|
/test pull-gardener-e2e-kind-migration |
|
LGTM label has been added. Git tree hash: b1930fd5bae2bab580140ff89d8782dfc423ec23
|
| RunAsNonRoot: pointer.Bool(false), | ||
| RunAsUser: pointer.Int64(0), |
There was a problem hiding this comment.
What happens when a Pod has a securityContext set at Pod level and then some container overwrite it? Does the container securityContext is considered only or does kubernetes internally merges the container securityContext with the pod securityContext (where container securityContext values take precedence)?
I am asking because if a merge happens under the hood, then the merged securityContext would be
securityContext:
runAsNonRoot: false
runAsUser: 0
runAsGroup: 65532
fsGroup: 65532which I think is not what we want.
The docs write
Security settings that you specify for a Container apply only to the individual Container, and they override settings made at the Pod level when there is overlap.
but I am not 100% sure.
There was a problem hiding this comment.
It seems that a merge happens under the hood indeed.
A small isolated setup to prove the merge:
- Create the following yaml:
apiVersion: v1
kind: Pod
metadata:
name: alpine
namespace: default
spec:
securityContext:
runAsNonRoot: true
runAsUser: 65532
runAsGroup: 65532
fsGroup: 65532
containers:
- image: alpine:3.13.2
command:
- /bin/sh
- "-c"
- "sleep 60m"
imagePullPolicy: IfNotPresent
name: alpine
securityContext:
runAsNonRoot: false
runAsUser: 0
restartPolicy: Always- Verify the merge
% k exec -ti alpine -- sh
/ # id
uid=0(root) gid=65532 groups=1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video),65532
Again, maybe this is not what we want? Maybe it is better to move the Pod level securityContext to the kube-apiserver container?
There was a problem hiding this comment.
Yes, the Pod's securityContext setting will be used by every container and only the specified settings will be overridden by the container's securityContext. It is important to note that fsGroup can be set only at the Pod level settings so the only question is if we should explicitly set runAsGroup at the Container level.
I do not think that it is required since we already set root as the user which grants full permissions on all files in the container.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dimityrmirchev, ialidzhikov The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
gardener-prow
bot
added
the
approved
How to categorize this PR?
/area security quality
/kind enhancement
What this PR does / why we need it:
This PR modifies Control Plane components
kube-apiserver,kube-controller-managerandkube-schedulerto run asnonrootuser65532(id ofnonrootuser indistrolessimages ref). The aim of this PR is to adhere to the principles of least privilege and reduce potential attack surface.Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Release note: