ctalledo
commented
2 years ago Running this fully privileged puts a massive risk on any K8 Cluster that runs Kink.
I agree.
But note: there is now a solution to run KinD in secure (in fact rootless) pods. It's called Sysbox, a next-generation "runc" (I am one of the developers). It's in fact capable of creating secure pods that run not just KinD, but also Docker, native K8s, K3s, buildx, systemd, and more.
I think KinK users would really benefit from this, as otherwise the alternative of using privileged containers will be a strong deterrent for many.
While this seems like a cool project, the security implications that are required for running kink are very concerning.
https://github.com/Trendyol/kink/blob/42be76dabeb3b5743d8ed34d9ac301b0d32ea1b3/cmd/run.go#L212
Running this fully privileged puts a massive risk on any K8 Cluster that runs Kink. The security impact of this project can probably be massively reduced by implementing the correct and relevant Security Context instead of running it in privileged Mode.