Minimun privileges for CSI sidecar

397 Views Asked by Anto74 At 20 October 2024 at 08:46

I'm building my own CSI driver with CSI standards and I'm wondering about the Security Context to be set for the CSI sidecar containers.

I'm going to use:

Node Driver Registrar
CSI provisioner
CSI attacher
CSI liveness probe.

Some of them need to run as root and I'm wondering about the configuration in the Security Context to assign them the minimum Linux capabilities and to be sure that root capabilities are provided for the minimum time.

Am I forced to set the security context as follows? Is there any way to restrict it furthermore?

securityContext:
  allowPrivilegeEscalation: true
  privileged: false
  runAsNonRoot: true
  capabilities:
    drop:
    - all
    add:
    - SYS_ADMIN

Thanks in advance, Antonio

Original Q&A

There are 1 best solutions below

moonkotte On 23 September 2021 at 10:24

Based on research about kubernetes and linux capabilities, that looks you've already found the least possible privileges.

Your example contains minimum needed capability - CAP_SYS_ADMIN which is used primarily for mounting and unmounting filesystems.

In more details CAP_SYS_ADMIN is used for:

Perform a range of system administration operations including: quotactl(2), mount(2), umount(2), pivot_root(2), swapon(2), swapoff(2), sethostname(2), and setdomainname(2);
use ioprio_set(2) to assign IOPRIO_CLASS_RT and (before Linux 2.6.25) IOPRIO_CLASS_IDLE I/O scheduling classes;
exceed /proc/sys/fs/file-max, the system-wide limit on the number of open files, in system calls that open files (e.g., accept(2), execve(2), open(2), pipe(2));
call setns(2) (requires CAP_SYS_ADMIN in the target namespace);
employ the TIOCSTI ioctl(2) to insert characters into the input queue of a terminal other than the caller's controlling terminal;
employ the obsolete nfsservctl(2) system call;
employ the obsolete bdflush(2) system call;
perform various privileged block-device ioctl(2) operations;
perform various privileged filesystem ioctl(2) operations;
perform privileged ioctl(2) operations on the /dev/random device (see random(4));
perform administrative operations on many device drivers;

Source - capabilities(7) — Linux manual page

Also there is a very good article with many details about docker images and security aspects can be found here - Towards unprivileged container builds

One more article explains linux capabilities and its appliance with examples may be helpful - HackTricks - Linux Capabilities

Minimun privileges for CSI sidecar

There are 1 best solutions below

Related Questions in KUBERNETES

Related Questions in PRIVILEGES

Related Questions in LINUX-CAPABILITIES

Related Questions in SECURITY-CONTEXT

Related Questions in CSI

Trending Questions

Popular # Hahtags

Popular Questions