Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: Mention static pods in the security guidance around api access #1766

Merged
merged 1 commit into from Oct 4, 2021
Merged

docs: Mention static pods in the security guidance around api access #1766

merged 1 commit into from Oct 4, 2021

Conversation

zmrow
Copy link
Contributor

@zmrow zmrow commented Oct 1, 2021
edited

Description of changes:

We recommend against providing access to the API socket from containers
because of the effects it can have on system configuration and security.
This change specifically calls out the ability to define static pods as
an action that could be taken with API access, and the effects of doing
so.

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

bcressey
bcressey reviewed Oct 1, 2021
View reviewed changes
Copy link
Contributor

@bcressey bcressey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/affects/effects/g in the commit message

SECURITY_GUIDANCE.md Outdated
@@ -71,6 +71,7 @@ It is labeled `api_socket_t`, so only processes with privileged SELinux labels c
Write access to this socket will grant full control over system configuration.
This includes the ability to define an arbitrary source for a host container, and to run that container with "superpowers" that bypass other restrictions.
These "superpowers" are described [below](#limit-use-of-host-containers).
It also includes the ability to define and run static pods, which are managed directly by `kubelet` and are not subject to admission controllers that enforce security policies for the Kubernetes cluster.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
It also includes the ability to define and run static pods, which are managed directly by `kubelet` and are not subject to admission controllers that enforce security policies for the Kubernetes cluster.
For Kubernetes variants, it also includes the ability to define and run static pods. These are managed directly by `kubelet` and are not subject to admission controllers that enforce security policies for the cluster.

@zmrow
docs: Mention static pods in the security guidance around api access
fce75f8 
We recommend against providing access to the API socket from containers
because of the effects it can have on system configuration and security.
This change specifically calls out the ability to define static pods as
an action that could be taken with API access, and the effects of doing
so.
@zmrow
Copy link
Contributor Author

zmrow commented Oct 1, 2021

^ Fixed @bcressey 's suggestions

@zmrow zmrow merged commit 07b5ac9 into bottlerocket-os:develop Oct 4, 2021
@zmrow zmrow deleted the static_pods_guidance branch October 4, 2021 15:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bcressey bcressey bcressey approved these changes

@etungsten etungsten etungsten approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@zmrow @bcressey @etungsten