k8s-ci-robot
GitHub
commit
09ae39dda5
|
|
@ -0,0 +1,93 @@
|
|||
# ProcMount/ProcMountType Option
|
||||
|
||||
## Background
|
||||
|
||||
Currently the way docker and most other container runtimes work is by masking
|
||||
and setting as read-only certain paths in `/proc`. This is to prevent data
|
||||
from being exposed into a container that should not be. However, there are
|
||||
certain use-cases where it is necessary to turn this off.
|
||||
|
||||
## Motivation
|
||||
|
||||
For end-users who would like to run unprivileged containers using user namespaces
|
||||
_nested inside_ CRI containers, we need an option to have a `ProcMount`. That is,
|
||||
we need an option to designate explicitly turn off masking and setting
|
||||
read-only of paths so that we can
|
||||
mount `/proc` in the nested container as an unprivileged user.
|
||||
|
||||
Please see the following filed issues for more information:
|
||||
- [opencontainers/runc#1658](https://github.com/opencontainers/runc/issues/1658#issuecomment-373122073)
|
||||
- [moby/moby#36597](https://github.com/moby/moby/issues/36597)
|
||||
- [moby/moby#36644](https://github.com/moby/moby/pull/36644)
|
||||
|
||||
Please also see the [use case for building images securely in kubernetes](https://github.com/jessfraz/blog/blob/master/content/post/building-container-images-securely-on-kubernetes.md).
|
||||
|
||||
Unmasking the paths in `/proc` option really only makes sense for when a user
|
||||
is nesting
|
||||
unprivileged containers with user namespaces as it will allow more information
|
||||
than is necessary to the program running in the container spawned by
|
||||
kubernetes.
|
||||
|
||||
The main use case for this option is to run
|
||||
[genuinetools/img](https://github.com/genuinetools/img) inside a kubernetes
|
||||
container. That program then launches sub-containers that take advantage of
|
||||
user namespaces and re-mask /proc and set /proc as read-only. So therefore
|
||||
there is no concern with having an unmasked proc open in the top level container.
|
||||
|
||||
It should be noted that this is different that the host /proc. It is still
|
||||
a newly mounted /proc just the container runtimes will not mask the paths.
|
||||
|
||||
Since the only use case for this option is to run unprivileged nested
|
||||
containers,
|
||||
this option should only be allowed or used if the user in the container is not `root`.
|
||||
This can be easily enforced with `MustRunAs`.
|
||||
Since the user inside is still unprivileged,
|
||||
doing things to `/proc` would be off limits regardless, since linux user
|
||||
support already prevents this.
|
||||
|
||||
## Existing SecurityContext objects
|
||||
|
||||
Kubernetes defines `SecurityContext` for `Container` and `PodSecurityContext`
|
||||
for `PodSpec`. `SecurityContext` objects define the related security options
|
||||
for Kubernetes containers, e.g. selinux options.
|
||||
|
||||
To support "ProcMount" options in Kubernetes, it is proposed to make
|
||||
the following changes:
|
||||
|
||||
## Changes of SecurityContext objects
|
||||
|
||||
Add a new `string` type field named `ProcMountType` will hold the viable
|
||||
options for `procMount` to the `SecurityContext`
|
||||
definition.
|
||||
|
||||
By default,`procMount` is `default`, aka the same behavior as today and the
|
||||
paths are masked.
|
||||
|
||||
This will look like the following in the spec:
|
||||
|
||||
```go
|
||||
type ProcMountType string
|
||||
|
||||
const (
|
||||
// DefaultProcMount uses the container runtime default ProcType. Most
|
||||
// container runtimes mask certain paths in /proc to avoid accidental security
|
||||
// exposure of special devices or information.
|
||||
DefaultProcMount ProcMountType = "Default"
|
||||
|
||||
// UnmaskedProcMount bypasses the default masking behavior of the container
|
||||
// runtime and ensures the newly created /proc the container stays in tact with
|
||||
// no modifications.
|
||||
UnmaskedProcMount ProcMountType = "Unmasked"
|
||||
)
|
||||
|
||||
procMount *ProcMountType
|
||||
```
|
||||
|
||||
This requires changes to the CRI runtime integrations so that
|
||||
kubelet will add the specific `unmasked` or `whatever_it_is_named` option.
|
||||
|
||||
## Pod Security Policy changes
|
||||
|
||||
A new `[]ProcMountType{}` field named `allowedProcMounts` will be added to the Pod
|
||||
Security Policy as well to gate the allowed ProcMountTypes a user is allowed to
|
||||
set. This field will default to `[]ProcMountType{ DefaultProcMount }`.
|
||||
Loading…
Reference in New Issue