search

intel / intel-device-plugins-for-kubernetes

Collection of Intel device plugins for Kubernetes
Apache License 2.0
48 stars 205 forks source link

Incomplete plugin SecurityContexts #1841

Open eero-t opened 2 months ago

eero-t commented 2 months ago

Describe the bug

Plugins do not match k8s baseline security standards (mainly due to host mounts), but that could be compensated somewhat by adopting relevant policies from the k8s restricted security standard. When containers are run with root user, they could at least drop unnecessary privileges...

To Reproduce

Check what capabilities are dropped in SecurityContext sections listed in plugins deployments: https://github.com/intel/intel-device-plugins-for-kubernetes/tree/main/deployments

For example: https://github.com/intel/intel-device-plugins-for-kubernetes/blob/main/deployments/gpu_plugin/base/intel-gpu-plugin.yaml

Expected behavior

Something like this:

securityContext:
  readOnlyRootFilesystem: true
  allowPrivilegeEscalation: false
  capabilities:
     drop: [ "ALL" ]
     add: [<whatever is actually necessary>]
  seccompProfile:
    type: RuntimeDefault

Screenshots

E.g. in above listed GPU plugin deployment, SecurityContext is just:

        securityContext:
          seLinuxOptions:
            type: "container_device_plugin_t"
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false

System (please complete the following information):

mythi commented 2 months ago

@eero-t can you submit a PR for this?

eero-t commented 2 months ago

@eero-t can you submit a PR for this?

Not this or next week, maybe after that.