New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add seccomp least privilege for docker sandbox #90948
Add seccomp least privilege for docker sandbox #90948
Conversation
@tallclair @Random-Liu would this be a feasible fix for v1.19? /area security |
/assign @derekwaynecarr |
/test pull-kubernetes-e2e-kind |
/test pull-kubernetes-verify |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/uncc
I'll follow along here, but unfortunately not sure I have the context to approve/request changes on this change.
Adding @tallclair given that this is related to seccomp. /assign @tallclair |
@pjbgf: GitHub didn't allow me to request PR reviews from the following users: evrardjp. Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test pull-kubernetes-e2e-gce-ubuntu-containerd |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Looking forward to this functionality. Another example of a seccomp profile for a Pod that has to be overly verbose for the syscalls required by the single container can be found in the seccomp GA docs PR: https://github.com/kubernetes/website/pull/21278/files#diff-f55fbc3a157f149b16c43d874a26d4b5
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: derekwaynecarr, pjbgf The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest Review the full test history for this PR. Silence the bot with an |
/retest |
3 similar comments
/retest |
/retest |
/retest |
/test pull-kubernetes-e2e-kind |
I met an issue [root@default-np-1:/home/ubuntu]$ docker logs 0f825721defb (sandbox container) docker inspect shows: When removed "no-new-privileges", sandbox container start success. I don't kown what happened,I find this PR about "no-new-privileges" for help.thanks |
What type of PR is this?
/kind bug
What this PR does / why we need it:
Decreases the sandbox's attack surface by running it with
no-new-privileges
and with theruntime/default
seccomp profile.As a side effect, it allows end users to set seccomp profiles at pod level with the same profile as they would for container level, considering the pod only has containers with
AllowPrivilegeEscalation=false
.Without this PR users had to whitelist some syscalls regardless of their containers needing them:
capset
,set_tid_address
,setgid
,setgroups
,setuid
and etc. More information and examples at #84623.Which issue(s) this PR fixes:
Part of #84623 (for dockershim)
Part of #81115 (for sandbox)
Special notes for your reviewer:
Feature parity for kuberuntime will be done through a different PR.
Does this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
/cc @tallclair @Random-Liu @dims @mattjmcnaughton
/sig node
/area security