Harden addons & system pods · kubernetes/kubernetes#38541

(14 comments) (5 reactions) (0 assignees)Go (122,268 stars) (43,066 forks)batch import

area/securityhelp wantedkind/cleanuplifecycle/frozenpriority/important-longtermsig/auth

Description

Our system pods should run using security best practices, both to enhance cluster security and serve as examples of best practices to users. We should audit all our system pod Dockerfiles, and make sure all security features are enabled with custom profiles when possible.

Low hanging fruit:

Run as non-root (& disallow privilege escalation)
Run with the default seccomp profile
ReadOnlyRootFilesystem
Avoid unnecessary HostPath volumes
Don't mount service account token (unless required)

More advanced:

Reduce depednencies in the base image (https://github.com/kubernetes/kubernetes/issues/40248)
Custom seccomp profile
Custom AppArmor profile
Drop unneeded capabilities (e.g. CAP_NET_RAW)
~~Run with restricted service accounts~~ (done)

/cc @kubernetes/sig-auth @kubernetes/sig-cluster-lifecycle

Contributor guide

Tech stack: godockershell
Domain: securitydevopsinfrastructure
Issue type: security
Difficulty: 3
Estimated time: 3-5 days
Activity status: stale
Clarity: clear
Prerequisites: Docker securityKubernetes basicsLinux capabilitiesSeccomp/AppArmor
Newbie friendliness: 40
Research direction: Begin by identifying all Dockerfiles in the addon and system pods directories (likely under 'cluster/addons' and 'pods/'). For each, apply security hardening: set USER non root, securityContext with runAsNonRoot, readOnlyRootFilesystem, and drop CAP NET RAW. Also consider using default seccomp profile. For advanced items, research custom AppArmor profiles and minimal base images (see issues #40248). No linked PRs or assignees, so no blockers.