harden the security even if worker pod with privileged: true

[gowrisankar22]

We are allowing privileged: true for the worker pod to allow the task to run in a container. This will be security problem and described here https://concourse-ci.org/task-step.html#task-step-privileged. how can we make sure the security even if it is enabled?

https://github.com/concourse/concourse-chart/blob/c13f1427bf0d484dad35ee73ffcdec5d19acb7c5/templates/worker-statefulset.yaml#L59

[taylorsilva]

Currently the best way to ensure that workloads on your Concourse workers are isolated is to have one k8s cluster dedicated to running Concourse. Work is being done to move away from rootless workers being required (https://github.com/concourse/concourse/issues/5073). In the meantime, you should network off (whitelist access to specific network endpoints only) Concourse workers as much as possible and restrict their access as much as possible if security is of the utmost concern to you.

Regarding the task privileged field, something like OPA RFC would help address this by allowing a Concourse operator to disallow users from creating privileged tasks.

[gowrisankar22]

thanks a lot @taylorsilva what would be the tentative timeline for rootless workers and opa?

[taylorsilva]

No idea! OPA is being done by someone outside our team and we're working on getting containerd working with our existing use-cases first.