New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFE] disable user namespace flag #773
Comments
The |
The upstream supported way of achieving this is:
This is stronger than |
Oh I wasn't aware of |
That is correct. |
Perfect, thank you for pointing this out. I'll close the issue. |
Current situation
With CVE-2022-1966 we see another vulnerability which can be mitigated by disabling user namespaces at all, e.g. with the
kernel.unprivileged_userns_clone=0
flag implemented in some linux distributions.As long as kubernetes/enhancements#127 is still open it would be great to disable user namespaces on kubernetes worker completely to reduce attack surface.
Impact
Reduce attack surface on systems where user namespaces are not in use.
Ideal future situation
We could disable user namespaces like in other distributions.
Implementation options
Additional information
The text was updated successfully, but these errors were encountered: