Copy PSP hostpath warning to hostpath volume docs #28252
Conversation
k8s-ci-robot
added
cncf-cla: yes
k8s-ci-robot
added
language/en
|
✔️ Deploy Preview for kubernetes-io-main-staging ready! 🔨 Explore the source changes: 6d0d8c0 🔍 Inspect the deploy log: https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/60d3cfeb1bfea5000778882e 😎 Browse the preview: https://deploy-preview-28252--kubernetes-io-main-staging.netlify.app |
| @@ -529,6 +529,15 @@ See the [GlusterFS example](https://github.com/kubernetes/examples/tree/{{< para | |||
|
|
|||
| ### hostPath {#hostpath} | |||
|
|
|||
| {{< warning >}} | |||
| There are many ways a container with unrestricted access to the host filesystem can escalate | |||
| privileges, including reading data from other containers, and abusing the credentials of system | |||
There was a problem hiding this comment.
I think it's an excellent idea to add that warning here. I'd remove the comma (,) after containers, although I see it matches how it was written in the other text. So not a big deal.
|
Thanks @tallclair . |
k8s-ci-robot
added
sig/storage
| @@ -529,6 +529,15 @@ See the [GlusterFS example](https://github.com/kubernetes/examples/tree/{{< para | |||
|
|
|||
| ### hostPath {#hostpath} | |||
|
|
|||
| {{< warning >}} | |||
| There are many ways a container with unrestricted access to the host filesystem can escalate | |||
There was a problem hiding this comment.
| There are many ways a container with unrestricted access to the host filesystem can escalate | |
| There are many ways a container with access to the host filesystem can escalate |
I feel like we could elaborate further here, but I especially feel like the word "unrestricted" here could give users a false sense of security if they have done something they think of as restricting hostPath.
There was a problem hiding this comment.
Should we mention that:
- the best restriction is not allowing folk to define a
hostPathvolume at all? - even if you restrict what host paths a Pod / entire namespace can mount, there may well be attacks / risks that require careful mitigation?
There was a problem hiding this comment.
Good recommendations. I took a stab at re-writing this. PTAL.
|
/sig security |
k8s-ci-robot
added
the
sig/security
k8s-ci-robot
added
size/S
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kbhawkey The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
| HostPaths when possible. When a HostPath volume must be used, it should be scoped to only the | ||
| required file or directory, and mounted as ReadOnly. | ||
|
|
||
| If restricting HostPath acccess to specific directories through AdmissionPolicy, `volumeMounts` MUST |
There was a problem hiding this comment.
We can use bold:
| If restricting HostPath acccess to specific directories through AdmissionPolicy, `volumeMounts` MUST | |
| If restricting HostPath acccess to specific directories through AdmissionPolicy, `volumeMounts` **must** |
|
@tallclair Thank you for the PR! /lgtm |
|
LGTM label has been added. Git tree hash: 341aeaaa702feaa019f81020f3d7104ef6f7ddd3
|
k8s-ci-robot
added
the
lgtm
We don't currently do a good enough job warning about the dangers of HostPaths, and some of the unintuitive ways that admission policies can be bypassed.
We have a warning on the PSP documentation (https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems), but we should also call out the risks on the hostpath volume documentation directly.
Fixes #18850