0

As a Kubernetes cluster admin, I was asked to enable the chown, dac_override and fowner Linux capabilities in the SHARED Kubernetes cluster for some special Pods.

But I found it is horrible to open these capabilities in Container: https://www.redhat.com/en/blog/secure-your-containers-one-weird-trick

I would like to know if the Pods can ONLY use these capabilities on the files/folders in the Pod? Or they can also use them on the host files/folders to hack something?

I also open the RunAsRoot permission but disable the Privileged permission.

So I would like to know if there is any security issue to enable these capabilities in Kube cluster?

Or is there any way to JUST allow some special Pods to have these capabilities?

Thanks a lot!

user13220731
  • 25
  • 3

1 Answers1

1

As long as you trust k8s controllers (Deployment, StatefulSet, DaemonSet) of these pods - you're fine with additional filesystem-related capabilities. By default, pods cannot write to host filesystem. And You shouldn't have hostPath volumes in controllers of your special pods to eliminate host filesystem write from inside these pods.

Alex Vorona
  • 1,875
  • 1
  • 9
  • 7
  • Thanks Alex!!! If they are end-user pods which are not controlled by us and we didn't provide the hostPath volumes for them. Is that also safe? – user13220731 Apr 06 '20 at 02:03
  • If end-users have access to k8s API to create/change pods/controllers - you cannot make it secured. When all k8s configuration is happening from your trusted side and the only end-user part is docker images - you're good. We do not cover OS/container exploits though. Stock k8s isn't ready to work as shared user-configured environment yet. – Alex Vorona Apr 06 '20 at 08:29