Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incomplete plugin SecurityContexts #1841

Closed
eero-t opened this issue Sep 18, 2024 · 2 comments · Fixed by #1945
Closed

Incomplete plugin SecurityContexts #1841

eero-t opened this issue Sep 18, 2024 · 2 comments · Fixed by #1945
Labels
bug Something isn't working

Comments

@eero-t
Copy link
Contributor

eero-t commented Sep 18, 2024

Describe the bug

Plugins do not match k8s baseline security standards (mainly due to host mounts), but that could be compensated somewhat by adopting relevant policies from the k8s restricted security standard. When containers are run with root user, they could at least drop unnecessary privileges...

To Reproduce

Check what capabilities are dropped in SecurityContext sections listed in plugins deployments:
https://github.com/intel/intel-device-plugins-for-kubernetes/tree/main/deployments

For example:
https://github.com/intel/intel-device-plugins-for-kubernetes/blob/main/deployments/gpu_plugin/base/intel-gpu-plugin.yaml

Expected behavior

Something like this:

securityContext:
  readOnlyRootFilesystem: true
  allowPrivilegeEscalation: false
  capabilities:
     drop: [ "ALL" ]
     add: [<whatever is actually necessary>]
  seccompProfile:
    type: RuntimeDefault

Screenshots

E.g. in above listed GPU plugin deployment, SecurityContext is just:

        securityContext:
          seLinuxOptions:
            type: "container_device_plugin_t"
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false

System (please complete the following information):

  • Device plugins version: git HEAD
@mythi
Copy link
Contributor

mythi commented Sep 24, 2024

@eero-t can you submit a PR for this?

@eero-t
Copy link
Contributor Author

eero-t commented Sep 24, 2024

@eero-t can you submit a PR for this?

Not this or next week, maybe after that.

@tkatila tkatila added the bug Something isn't working label Jan 2, 2025
@mythi mythi mentioned this issue Jan 2, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

depl: drop capabilities from all plugins tkatila/intel-device-plugins-for-kubernetes
3 participants
@mythi @eero-t @tkatila