Does this app run a root privilege pod?

Azure / Bridge-To-Kubernetes

Bridge To Kubernetes (B2K) is development tool to debug microservices, pods which redirects traffic to your local development machine and vice versa.

https://learn.microsoft.com/en-us/visualstudio/bridge/overview-bridge-to-kubernetes

Other

204 stars 57 forks source link

Does this app run a root privilege pod? #490

Open smartaquarius10 opened 6 months ago

smartaquarius10 commented 6 months ago

While connecting the bridge using vscode plugin it creates a new pod with AllowPrivilegeEscalation* to true.

Is this mandatory to set as true. Because in a restricted organization environment it is not possible to run a pod like this.

SMALL CORRECTION:- Referring runAsNonRoot as true not AllowPrivilegeEscalation*.

hsubramanianaks commented 6 months ago

@smartaquarius10 Thanks for this question. I think we can move this to discussions if you are willing to talk more about it, but answer to this is NO, Bridge to Kubernetes doesn't create pods with securityContext: allowPrivilegeEscalation and I looked through the places where bridge creates pod specs I don't see anywhere it is setting security context.

It creates two pods remote agent in the same name as the service/pod you are debugging (runs with image lpkremoteagent) and another pod with same name as your service/pod but with -restore at the end (runs with image lpkrestorationjob). Please let me know if you have further questions or share logs if you face issues. Thanks again.

smartaquarius10 commented 6 months ago

@hsubramanianaks Thank you so much for the prompt reply. I am extremely sorry my bad. I've mentioned AllowPrivilegeEscalationbut the error was coming because of runAsNonRoot as true.

Does this flag has to be false for this plugin. In company's environment, this flag is never allowed as well. You can test it using this sample operator

Just deploy it and vscode plugin connection with kubernetes shall fail. The remote agent pod will not spin. The moment you change this to false pod will start working

hsubramanianaks commented 6 months ago

@smartaquarius10 Even this flag I don't find in bridge codebase, I believe it is something to do with the operator or your company environment. Thank you.

smartaquarius10 commented 6 months ago

@hsubramanianaks i have already shared the link to the code base and its property. Sharing it again. https://github.com/codereliant/sample-tenant-operator/blob/0b2f76cd9af6bc8e0a23cfa890716f26cc372692/config/manager/manager.yaml#L60

smartaquarius10 commented 6 months ago

@hsubramanianaks if you have some free time. Just deploy this operator and try connecting plugin. You’ll get the error. You dont have to change anything in the code to get the error.

smartaquarius10 commented 6 months ago

@hsubramanianaks The remote agent pod created by plugin throws an error to set run as non root flag false

smartaquarius10 commented 6 months ago

@hsubramanianaks any update on this please. Did u get some time to check this

hsubramanianaks commented 6 months ago

@smartaquarius10 Apologies I was occupied, I will take a look into this today. Thanks for your patience.

smartaquarius10 commented 6 months ago

@hsubramanianaks Hey np. Sure thanks.. :)

Regards, Tanul

nam-osisoft commented 2 months ago

Any updates on this issue? Are there any plans to make b2k run as non-root or require root access?