From 3bd5f9f368b87ba3de268cd3cc39bc14ec34072a Mon Sep 17 00:00:00 2001 From: Xing Zhou Date: Thu, 15 Dec 2016 05:57:51 +0000 Subject: [PATCH] Create no-new-privs support proposal doc. Create no-new-privs support proposal doc under contributors/design-proposals. --- contributors/design-proposals/no-new-privs.md | 65 +++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 contributors/design-proposals/no-new-privs.md diff --git a/contributors/design-proposals/no-new-privs.md b/contributors/design-proposals/no-new-privs.md new file mode 100644 index 000000000..bd6cac313 --- /dev/null +++ b/contributors/design-proposals/no-new-privs.md @@ -0,0 +1,65 @@ +#Support "no new privileges" in Kubernetes + +##Description + +In Linux, the `execve` system call can grant more privileges to a newly-created process than its parent process. Considering security issues, since Linux kernel v3.5, there is a new flag named `no_new_privs` added to prevent those new privileges from being granted to the processes. + +`no_new_privs` is inherited across `fork`, `clone` and `execve` and can not be unset. With `no_new_privs` set, `execve` promises not to grant the privilege to do anything that could not have been done without the `execve` call. + +For more details about `no_new_privs`, please check the Linux kernel document [here](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt). + +Docker started to support `no_new_privs` option since 1.11. Here is the [link](https://github.com/docker/docker/issues/20329) of the ticket in Docker community to support `no_new_privs` option. + +We want to support the creation of containers with `no_new_privs` enabled in Kubernetes, which will make the Kubernetes cluster more safe. Here is the [link](https://github.com/kubernetes/kubernetes/issues/38417) of the ticket in Kubernetes community to track this proposal. + + +##Current implementation + +###Support in Docker + +Since Docker 1.11, user can specify `--security-opt` to enable `no_new_privs` while creating containers, e.g. `docker run --security-opt=no-new-privileges busybox` + +For program client, Docker provides an object named `ContainerCreateConfig` defined in package `github.com/docker/engine-api/types` to config container creation parameters. In this object, there is a string array `HostConfig.SecurityOpt` to specify the security options. Client can utilize this field to specify the arguments for security options while creating new containers. + +###Support in OCI runtimes + +Since version 0.3.0 of the OCI runtime specification, a user can specify the `noNewPrivs` boolean flag in the configuration file. + +More details of OCI implementation can be checked [here](https://github.com/opencontainers/runtime-spec/pull/290). + +###SecurityContext in Kubernetes + +Kubernetes defines `SecurityContext` for `Container` and `PodSecurityContext` for `PodSpec`. `SecurityContext` objects define the related security options for Kubernetes containers, e.g. selinux options. + +While creating a container, kubelet parses the security context object and formats the security option strings for Docker. The security options strings will finally be inserted into `ContainerCreateConfig.HostConfig.SecurityOpt` and passed to Docker. Different Kubernetes runtimes now are using different methods to parse and format the security option strings: +* method `#getSecurityOpts` in `docker_mager_xxxx.go` for Docker runtime +* method `#getContainerSecurityOpts` in `docker_container.go` for CRI + + +##Proposal to support "no new privileges" + +To support "no new privileges" options in Kubernetes, it is proposed to make the following changes: + +###Changes of SecurityContext objects + +Add a new bool type field named `noNewPrivileges` to both `SecurityContext` definition and `PodSecurityContext` definition: +* `noNewPrivileges=true` in `PodSecurityContext` means that all the containers in the pod should be run with `no-new-privileges` enabled. This should be a pod level control of `no-new-privileges` flag. +* `noNewPrivileges` in `SecurityContext` is a container level control of `no-new-privileges` flag, and can override the pod level `noNewPrivileges` setting. + +By default, `noNewPrivileges` is `false`. + +The change of security context API objects requires the update of corresponding Kubernetes documents, need to submit another PR to track this. + +###Changes of docker runtime + +When parsing the new `SecurityContext` object, kubelet has to take care of `noNewPrivileges` field from security context objects. Once `noNewPrivileges` is `true`, kubelet needs to change `#getSecurityOpts` method in `docker_manager_xxx.go` to add `no-new-privileges` option to `ContainerCreateConfig.HostConfig.SecurityOpt` + +###Changes of CRI runtime + +When parsing the new `SecurityContext` object, kubelet has to take care of `noNewPrivileges` field from security context objects. Once `noNewPrivileges` is `true`, kubelet needs to change `#getContainerSecurityOpts` method in `docker_container.go` to add `no-new-privileges` option to `ContainerCreateConfig.HostConfig.SecurityOpt` + +###Changes of kubectl + +This is an additional proposal for kubectl. To improve kubectl user experience, we can add a new flag for kubectl command named `--security-opt`. This flag allows user to create pod with security options configured when using `kubectl run` command. For example, if user issues command like `kubectl run busybox --image=busybox --security-opt=no-new-privileges -- top`, kubernetes shall create a pod with `noNewPrivileges` enabled. + +If the proposal of kubectl changes is accepted, the patch can also be submitted as a separate PR.