-
Notifications
You must be signed in to change notification settings - Fork 38.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pod Security Policy does not prevent pods from running as root #53063
Comments
@definitelyuncertain: Reiterating the mentions to trigger a notification: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
some questions:
|
I looked around to see if I had to do anything and based on this and this, I tried
I guessed if at all it has to be enabled, this would do it, but it still doesn't work. Should I have enabled it elsewhere ? If so, would you mind explaining how?
Here's the manifest I grabbed by running
The |
That enables the API objects, but does not enable the admission plugin. You must set the apiserver |
I'm supposed to set this in |
in the apiserver manifest kubeadm generates, there should be an arg like modifying that to include PodSecurityPolicy (probably just before ResourceQuota) should enable it |
@kubernetes/sig-api-machinery-bugs
Is this a BUG REPORT or FEATURE REQUEST?:
/kind bug
What happened:
When I implement the basic PSP given here, and then run a container that explicitly asks for root privileges as given in the same link, it executes successfully. For reference, the PSP and the container are as follows:
Container:
What you expected to happen:
Container fails to run with the error
As far as I can tell, PSP is available by default and I shouldn't have to do anything specific to enable it.
How to reproduce it (as minimally and precisely as possible):
On a cluster set up using
kubeadm
, join a node and apply the aforementioned PSP and then run a container that explicitly asks for root.Anything else we need to know?:
I have also tested this with my own pods, and the result is the same: the pods are scheduled and run as root.
However, if I specify a UID for
runAsUser
in the pod description, the pod does run as that user.Also,
kubectl get psp
shows the PSP I have applied with correct information.Usual Kubernetes functionality seems to be working fine, but I noticed that
/etc/kubernetes/manifests/kube-apiserver.json
is missing on the master.Environment:
Kubernetes version (use
kubectl version
):1.7.5
on both master and worker nodes.Cloud provider or hardware configuration**:
One master node (VM on laptop), one worker node (another physical machine).
OS (e.g. from /etc/os-release):
Ubuntu 16.04.2 on master, Linux Mint 18.1 on worker.
Kernel (e.g.
uname -a
):4.8 on master, 4.4 on worker
Install tools:
kubeadm
to initializeThe text was updated successfully, but these errors were encountered: