New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for "no new privileges" #38417
Comments
Shall we add a new flag on this? I'd like to take investigation on this ticket |
I think it needs to be a user-facing option (for the reasons described here). It probably makes the most sense as a field on the SecurityContext. I think this touches enough components (k8s API, CRI) that a (brief) design proposal is in order. |
yes, @timstclair, if we also add a flag to kubectl, so that user can also config this option from the client. I will try to write a brief design for discussion prior to implementation, thanks |
@timstclair, just wrote a simple proposal doc at, for your review, thanks: |
Thank you for the proposal. I left some comments on your doc, but could you please also submit it as a PR to the communit design proposals repo: https://github.com/kubernetes/community/tree/master/contributors/design-proposals. That is our official proposal process, and it will get more exposure that way. |
Thanks Tim for your comments, I created a PR in community repo right now and also write some of my thoughts in that google doc. |
Automatic merge from submit-queue (batch tested with PRs 49651, 49707, 49662, 47019, 49747) Add support for `no_new_privs` via AllowPrivilegeEscalation **What this PR does / why we need it**: Implements kubernetes/community#639 Fixes #38417 Adds `AllowPrivilegeEscalation` and `DefaultAllowPrivilegeEscalation` to `PodSecurityPolicy`. Adds `AllowPrivilegeEscalation` to container `SecurityContext`. Adds the proposed behavior to `kuberuntime`, `dockershim`, and `rkt`. Adds a bunch of unit tests to ensure the desired default behavior and that when `DefaultAllowPrivilegeEscalation` is explicitly set. Tests pass locally with docker and rkt runtimes. There are also a few integration tests with a `setuid` binary for sanity. **Release note**: ```release-note Adds AllowPrivilegeEscalation to control whether a process can gain more privileges than it's parent process ```
Support for setting NO_NEW_PRIVS was added in docker 1.11 (moby/moby#20329). This feature will be much more useful once user namespace support is added (#34569), but I believe it is also relevant when paired with seccomp or LSM (SELinux or AppArmor).
/cc @mrunalp @kubernetes/sig-node
The text was updated successfully, but these errors were encountered: