-
Notifications
You must be signed in to change notification settings - Fork 33
Add security page #161
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Add security page #161
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,99 @@ | ||
|
|
||
| ***************************** | ||
| Security Considerations | ||
| ***************************** | ||
|
|
||
|
|
||
| Pod Security Context of the Operator and Operands | ||
| ================================================= | ||
|
|
||
| Several of the NVIDIA GPU Operator operands, such as the driver containers and container toolkit, | ||
| require the following elevated privileges: | ||
|
|
||
| - ``privileged: true`` | ||
| - ``hostPID: true`` | ||
| - ``hostIPC: true`` | ||
|
|
||
| The elevated privileges are required for the following reasons: | ||
|
|
||
| - Access to the host file system and hardware devices, such as NVIDIA GPUs. | ||
| - Restart system services such as containerd. | ||
| - Loading and unloading kernel modules. | ||
|
|
||
| Only the Kubernetes cluster administrator needs to access or manage the Operator namespace. | ||
| As a best practice, establish proper security policies and prevent any other users from accessing the Operator namespace. | ||
|
|
||
|
|
||
| CVEs | ||
| ================================================= | ||
|
|
||
| The following is a list of known CVEs in the GPU Operator or its operands. | ||
| To view any published security bulletins for NVIDIA products published security bulletins for NVIDIA products, refer to the NVIDIA product security page at https://www.nvidia.com/en-us/security/. | ||
|
|
||
| .. list-table:: CVEs | ||
| :widths: 20 45 35 | ||
| :header-rows: 1 | ||
|
|
||
| * - CVE ID | ||
| - Affected Components | ||
| - Fixed Version | ||
|
|
||
| * - `NVIDIA CVE-2025-23359 <https://nvidia.custhelp.com/app/answers/detail/a_id/5616>`_ | ||
| - NVIDIA Container Toolkit, all versions up to and including 1.17.3 | ||
|
|
||
| NVIDIA GPU Operator, all versions up to and including 24.9.1 | ||
| - NVIDIA Container Toolkit 1.17.4 | ||
|
|
||
| NVIDIA GPU Operator 24.9.2 | ||
|
|
||
| * - `NVIDIA CVE-2024-0135 <https://nvidia.custhelp.com/app/answers/detail/a_id/5599>`_ | ||
| - NVIDIA Container Toolkit, all versions up to and including 1.17.2 | ||
|
|
||
| NVIDIA GPU Operator, all versions up to and including 24.9.0 | ||
| - NVIDIA Container Toolkit 1.17.3 | ||
|
|
||
| NVIDIA GPU Operator 24.9.1 | ||
|
|
||
| * - `NVIDIA CVE-2024-0136 <https://nvidia.custhelp.com/app/answers/detail/a_id/5599>`_ | ||
| - NVIDIA Container Toolkit, all versions up to and including 1.17.2 | ||
|
|
||
| NVIDIA GPU Operator, all versions up to and including 24.9.0 | ||
| - NVIDIA Container Toolkit 1.17.3 | ||
|
|
||
| NVIDIA GPU Operator 24.9.1 | ||
|
|
||
| * - `NVIDIA CVE-2024-0137 <https://nvidia.custhelp.com/app/answers/detail/a_id/5599>`_ | ||
| - NVIDIA Container Toolkit, all versions up to and including 1.17.2 | ||
|
|
||
| NVIDIA GPU Operator, all versions up to and including 24.9.0 | ||
| - NVIDIA Container Toolkit 1.17.3 | ||
|
|
||
| NVIDIA GPU Operator 24.9.1 | ||
|
|
||
| * - `NVIDIA CVE-2024-0134 <https://nvidia.custhelp.com/app/answers/detail/a_id/5585>`_ | ||
| - NVIDIA Container Toolkit, all versions up to and including 1.16.2 | ||
|
|
||
| NVIDIA GPU Operator, all versions up to and including 24.6.2 | ||
| - NVIDIA Container Toolkit 1.17.0 | ||
|
|
||
| NVIDIA GPU Operator 24.9.0 | ||
|
|
||
| * - `NVIDIA CVE-2024-0132 <https://nvidia.custhelp.com/app/answers/detail/a_id/5582>`_ | ||
| - NVIDIA Container Toolkit, all versions up to and including 1.16.1 | ||
|
|
||
| NVIDIA GPU Operator, all versions up to and including 24.6.1 | ||
| - NVIDIA Container Toolkit 1.16.2 | ||
|
|
||
| NVIDIA GPU Operator 24.6.2 | ||
| * - `NVIDIA CVE-2024-0133 <https://nvidia.custhelp.com/app/answers/detail/a_id/5582>`_ | ||
| - NVIDIA Container Toolkit, all versions up to and including 1.16.1 | ||
|
|
||
| NVIDIA GPU Operator, all versions up to and including 24.6.1 | ||
| - NVIDIA Container Toolkit 1.16.2 | ||
|
|
||
| NVIDIA GPU Operator 24.6.2 | ||
|
|
||
| Report a Vulnerability | ||
| ----------------------------- | ||
|
|
||
| For details on reporting a suspected vulnerability, refer to the `GPU Operator Security policies <https://github.com/NVIDIA/gpu-operator/blob/main/SECURITY.md/>`_ page. | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we think a table like this is useful? Are their other fields we should maintain in our docs (all the CVE info is also in the linked bulletins)
There are a few more of these CVEs that relate to vulnerabilities in images used in older version. For completeness, we should probably include them as well, but i wanted to make sure that the table was valuable before i went to the trouble of adding all the rest.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it is valuable. I don't think we should add any more information to this table though. The security bulletin should be the source of truth and readers should be redirected there if they want more information about any particular CVE.