Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for "no new privileges" #38417

Closed
timstclair opened this issue Dec 8, 2016 · 6 comments
Closed

Add support for "no new privileges" #38417

timstclair opened this issue Dec 8, 2016 · 6 comments
Labels
area/security sig/node Categorizes an issue or PR as relevant to SIG Node.

Comments

@timstclair
Copy link

Support for setting NO_NEW_PRIVS was added in docker 1.11 (moby/moby#20329). This feature will be much more useful once user namespace support is added (#34569), but I believe it is also relevant when paired with seccomp or LSM (SELinux or AppArmor).

/cc @mrunalp @kubernetes/sig-node
@timstclair timstclair added area/security sig/node Categorizes an issue or PR as relevant to SIG Node. labels Dec 8, 2016
@xingzhou
Copy link
Contributor

xingzhou commented Dec 9, 2016

Shall we add a new flag on this? I'd like to take investigation on this ticket

@timstclair
Copy link
Author

I think it needs to be a user-facing option (for the reasons described here). It probably makes the most sense as a field on the SecurityContext. I think this touches enough components (k8s API, CRI) that a (brief) design proposal is in order.

@xingzhou
Copy link
Contributor

xingzhou commented Dec 9, 2016

yes, @timstclair, if we also add a flag to kubectl, so that user can also config this option from the client. I will try to write a brief design for discussion prior to implementation, thanks

@xingzhou
Copy link
Contributor

@timstclair, just wrote a simple proposal doc at, for your review, thanks:
https://docs.google.com/document/d/1ikz1V1yxK0mwG_Bnuhh1jADhtiQRPdx_pdSDB5P_ZGg/edit?usp=sharing

@timstclair
Copy link
Author

Thank you for the proposal. I left some comments on your doc, but could you please also submit it as a PR to the communit design proposals repo: https://github.com/kubernetes/community/tree/master/contributors/design-proposals. That is our official proposal process, and it will get more exposure that way.

This was referenced Dec 15, 2016
Closed
Closed
@xingzhou
Copy link
Contributor

Thanks Tim for your comments, I created a PR in community repo right now and also write some of my thoughts in that google doc.

@jessfraz jessfraz mentioned this issue May 19, 2017
Merged
@jessfraz jessfraz mentioned this issue Jun 6, 2017
Merged
@alban alban mentioned this issue Jun 23, 2017
Open
k8s-github-robot pushed a commit that referenced this issue Jul 31, 2017
Merge pull request #47019 from jessfraz/allowPrivilegeEscalation
72c6251 
Automatic merge from submit-queue (batch tested with PRs 49651, 49707, 49662, 47019, 49747)

Add support for `no_new_privs` via AllowPrivilegeEscalation

**What this PR does / why we need it**:
Implements kubernetes/community#639
Fixes #38417

Adds `AllowPrivilegeEscalation` and `DefaultAllowPrivilegeEscalation` to `PodSecurityPolicy`.
Adds `AllowPrivilegeEscalation` to container `SecurityContext`.

Adds the proposed behavior to `kuberuntime`, `dockershim`, and `rkt`. Adds a bunch of unit tests to ensure the desired default behavior and that when `DefaultAllowPrivilegeEscalation` is explicitly set.

Tests pass locally with docker and rkt runtimes. There are also a few integration tests with a `setuid` binary for sanity.

**Release note**:

```release-note
Adds AllowPrivilegeEscalation to control whether a process can gain more privileges than it's parent process
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security sig/node Categorizes an issue or PR as relevant to SIG Node.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@timstclair @xingzhou