google / cadvisor

Analyzes resource usage and performance characteristics of running containers.
Other
17.23k stars 2.33k forks source link

Microsoft recommendations to improve security and resilience in the cadvisor service #3595

Open sairinraychoudhury opened 2 months ago

sairinraychoudhury commented 2 months ago

Hi Everyone Needed advice from community members. We have deployed cadvisor 0.47.2 using helm in Microsoft Azure Kubernetes Service (AKS). Also during an assessment of our platform towards improved security & resilience angle received below recommendations from Microsoft experts to be implemented.

  1. Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers
  2. The root access inside the service container should be avoided.

We are not sure if above actions when implemented will have an impact on cadvisor since we used default cadvisor configs which are in helm chart for cadvisor.

Could anyone from the community please help or guide us on below queries?

  1. Have you tried implementing custom configs apart from default configs provided?
  2. Do you have a view of the impact by any means if we go ahead and implement this?
  3. Are there any other general recommendation towards achieving this?
iwankgb commented 1 month ago

Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers

I don't think that workaround for this exists. cAdvisor needs access to cgroupfs, rescrtlfs and others to be able to collect metrics. They are mounted from the host into the cAdvisor container.

The root access inside the service container should be avoided.

cAdvisor was built with assumption that it's running as a root, as far as I understand. You could try to run it as other user with CAP_SYS_ADMIN set - it may work. Take a look at man 7 capabilities.

iwankgb commented 1 month ago

Have you read these docs? They might help.