huornlmj
commented
1 year ago Ping - I would consider this a critical risk security issue.
Open huornlmj opened 1 year ago
huornlmj
commented
1 year ago Ping - I would consider this a critical risk security issue.
The instructions in the readme.md advise users to mount the hosts's root file system inside the container that cadvisor uses. The container runs as root, runs in Privileged mode, no privilege escalation protection, has no resource exhaustion protection. I believe the main issue here is mounting the host's root file system inside the host. This is listed as rule #1 to avoid (https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers). Why is it mounted, when there are other more granular directories mounted also? Couple this with the facts from above (running as root, privileged, opening a network socket to all interfaces,) and this introduces high risk to the host.
Can you reconsider the guidance you are giving users in your documentation to reduce this risk?