diff --git a/gpu-operator/index.rst b/gpu-operator/index.rst index 678d1b7f9..7cdb8dd99 100644 --- a/gpu-operator/index.rst +++ b/gpu-operator/index.rst @@ -31,6 +31,7 @@ gpu-driver-upgrades.rst install-gpu-operator-vgpu.rst install-gpu-operator-nvaie.rst + Security Considerations diff --git a/gpu-operator/security.rst b/gpu-operator/security.rst new file mode 100644 index 000000000..319100acf --- /dev/null +++ b/gpu-operator/security.rst @@ -0,0 +1,99 @@ + +***************************** +Security Considerations +***************************** + + +Pod Security Context of the Operator and Operands +================================================= + +Several of the NVIDIA GPU Operator operands, such as the driver containers and container toolkit, +require the following elevated privileges: + +- ``privileged: true`` +- ``hostPID: true`` +- ``hostIPC: true`` + +The elevated privileges are required for the following reasons: + +- Access to the host file system and hardware devices, such as NVIDIA GPUs. +- Restart system services such as containerd. +- Loading and unloading kernel modules. + +Only the Kubernetes cluster administrator needs to access or manage the Operator namespace. +As a best practice, establish proper security policies and prevent any other users from accessing the Operator namespace. + + +CVEs +================================================= + +The following is a list of known CVEs in the GPU Operator or its operands. +To view any published security bulletins for NVIDIA products published security bulletins for NVIDIA products, refer to the NVIDIA product security page at https://www.nvidia.com/en-us/security/. + +.. list-table:: CVEs + :widths: 20 45 35 + :header-rows: 1 + + * - CVE ID + - Affected Components + - Fixed Version + + * - `NVIDIA CVE-2025-23359 `_ + - NVIDIA Container Toolkit, all versions up to and including 1.17.3 + + NVIDIA GPU Operator, all versions up to and including 24.9.1 + - NVIDIA Container Toolkit 1.17.4 + + NVIDIA GPU Operator 24.9.2 + + * - `NVIDIA CVE-2024-0135 `_ + - NVIDIA Container Toolkit, all versions up to and including 1.17.2 + + NVIDIA GPU Operator, all versions up to and including 24.9.0 + - NVIDIA Container Toolkit 1.17.3 + + NVIDIA GPU Operator 24.9.1 + + * - `NVIDIA CVE-2024-0136 `_ + - NVIDIA Container Toolkit, all versions up to and including 1.17.2 + + NVIDIA GPU Operator, all versions up to and including 24.9.0 + - NVIDIA Container Toolkit 1.17.3 + + NVIDIA GPU Operator 24.9.1 + + * - `NVIDIA CVE-2024-0137 `_ + - NVIDIA Container Toolkit, all versions up to and including 1.17.2 + + NVIDIA GPU Operator, all versions up to and including 24.9.0 + - NVIDIA Container Toolkit 1.17.3 + + NVIDIA GPU Operator 24.9.1 + + * - `NVIDIA CVE-2024-0134 `_ + - NVIDIA Container Toolkit, all versions up to and including 1.16.2 + + NVIDIA GPU Operator, all versions up to and including 24.6.2 + - NVIDIA Container Toolkit 1.17.0 + + NVIDIA GPU Operator 24.9.0 + + * - `NVIDIA CVE-2024-0132 `_ + - NVIDIA Container Toolkit, all versions up to and including 1.16.1 + + NVIDIA GPU Operator, all versions up to and including 24.6.1 + - NVIDIA Container Toolkit 1.16.2 + + NVIDIA GPU Operator 24.6.2 + * - `NVIDIA CVE-2024-0133 `_ + - NVIDIA Container Toolkit, all versions up to and including 1.16.1 + + NVIDIA GPU Operator, all versions up to and including 24.6.1 + - NVIDIA Container Toolkit 1.16.2 + + NVIDIA GPU Operator 24.6.2 + +Report a Vulnerability +----------------------------- + +For details on reporting a suspected vulnerability, refer to the `GPU Operator Security policies `_ page.