-
Notifications
You must be signed in to change notification settings - Fork 39.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can bypass PodSecurityContext.SupplementalGroups
by custom container image although PSP(or other policy engines) enforces the field
#112879
Comments
PodSecurityContext.SupplementalGroups
by custom container image although PSP(or other policy engines) enforces the field
I put labels of sig/security and sig/architecture. But I'd appreciate it if someone told me more suitable sig or area labels. |
assign me |
/sig node |
routing to sig-node since it owns the Pod API and kubelet / CRI runtime implications |
Thanks liggitt for routing this to sig/node! I look forward to hearing a response from the sig/node about how to resolve this issue in the community. |
/assign Although we haven't agreed on how to resolve this issue in the community, I would like to contribute to the issue if I can. Of course, I will respect that the community will decide to assign this issue to a more suitable member. I just wanted to express my motivation for this issue. |
Discussed at CI triage meeting. @everpeace will improve documentation of the field as a first step and improvements can be discussed as a KEP. /remove-kind bug |
/triage accepted |
Ouch... yeah, this is unexpected behavior. |
/reopen |
@everpeace: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
This issue has not been updated in over 1 year, and should be re-triaged. You can:
For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/ /remove-triage accepted |
/triage accepted |
What happened?
Even PSP or other policy engines enforces the field values of
PodSecurityContext.SupplementalGroups
, user can bypass the setting by building a custom container image like this.Assume the below PSP is enforced:
Then, a user can create a pod that PSP allows with a custom image. But it can bypass
SupplementalGroups
setting by crafting a container image.Why does this behavior matter?
In a multi-tenant Kubernetes cluster using
hostPath
volumes, this behavior may be very confusing for cluster administrators.hostPath
volumes are access-controlled by uid/gid as in the usual Linux manner. In such clusters, I think it would be a common practice for the cluster administrator to use PSP or policy engine to restrict the values ofPodSecurityContext.{runAsUser, runAsGroup, SupplementalGroups}
field to secure private directory inhostPath
volumes. However, a custom container image can easily bypass the setting and can get access to some private directory in thehostPath
volume. This behavior confuses cluster administrators. They might say "What cansupplementalGroups
policy in PSP protect?"See here for a more detailed and practical impact.
What did you expect to happen?
bypass-supplementalgroups-pod
can have group identities defined only inPodSecurityContext.SupplementalGroups
. That is, the pod's log expects to beHow can we reproduce it (as minimally and precisely as possible)?
See https://github.com/pfnet-research/strict-supplementalgroups-container-runtime/tree/reproduce-bypass-supplementalgroups. You can reproduce this behavior in a single command. You can try to reproduce this both with contained and cri-o.
Anything else we need to know?
Is this a security issue??
We reported this behavior to hackerone.com(
#1688374
) by following Kubernetes Security and Disclosure Information. Kubernetes Security Response Committee responded that this behavior "works as intended," and they recommended discussing how to handle this behavior in a public k/k issue.However, I understand this behavior is not recognized widely. So, for clusters using NFS(or similar filesystems) as
hostPath
volumes, I think it's popular for supercomputers or HPC area, this behavior might cause critical consequences because many cluster administrators might understand PSP(or other policy engines) can provide enough protection to private directories in suchhostPath
volumes.See here for a more detailed and practical impact.
cc/ @cjcullen (as a responder to our report)
Root Cause: ambiguous definition
In kubernetes API,
Pod.SecurityContext.SupplementalGroups
is defined as "A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container. Note that this field cannot be set when spec.os.name is windows."I think this definition may be a bit ambiguous for readers regarding the gids defined in the container image. However, most popular CRI implementations(contained and cri-o) create OCI runtime spec(
config.json
) with merged gids defined in the container image andsupplementalGroups
in the pod spec like this:How to resolve this issue?
added: as described in #112879 (comment), we will improve the API description first, and keep discussing new API in KEP.
First, I would like to discuss how to resolve this in the community. I propose several ways to resolve this.
RuntimeClass
which enforces it.PodSecurityContext.SupplementalGroupsPolicy={Merge(default), Strict}
or similar (KEP-3619)Change an API behaviorProsNone.ConsBreaking change./area security
/sig security
/area api
/sig architecture
Tasks for Step 1
Tasks
PodSecurityContext.SupplementalGroups
to clarify its unfamiliar behavior #113047Tasks for Step 2
Tasks
Kubernetes version
Cloud provider
OS version
Install tools
Container runtime (CRI) and version (if applicable)
I tested this behavior both on containerd and cri-o.
crio version 1.25.0
Related plugins (CNI, CSI, ...) and versions (if applicable)
The text was updated successfully, but these errors were encountered: