Run services as non-privileged users · kubernetes/kubernetes#7961

(31 留言) (1 反應) (1 負責人)Go (122,268 star) (43,066 fork)batch import

area/securityhelp wantedkind/cleanuplifecycle/frozenpriority/backlogsig/apps

描述

At the moment most services in kubernetes run as root. This includes (from glancing at ps aux on a minion):

etcd
kube2sky
td-agent
~~skydns~~ (no longer exists in addons)
elasticsearch
~~heapster~~ (removed in 31fb04fa98e34773e18bd32d5aa4dfc554a9b83e)

It's best practice to use non-root user accounts for services that don't need them. E.g. elasticsearch had remote code execution vulnerabilities in the past. Even though docker's root has a capability bounding set applied so it doesn't translate to a real root on the host, the attack surface for privilege escalation attacks is still increased.

貢獻者指南

技術棧: godockerkubernetes
領域: securityinfrastructure
議題類型: security
難度: 4
預計時間: 3-5 days
活動狀態: stale
清晰度: clear
前置要求: Kubernetes fundamentalsDocker and container securityLinux user management
新手友善度: 40
研究方向: The issue requires identifying which services (etcd, kube2sky, td agent, elasticsearch) are still affected and modifying their Dockerfiles or Kubernetes manifests to run as a non root user. Review comments in the issue for any prior work or constraints. Ensure that the changes do not break functionality and follow Kubernetes security best practices. Test the modified services in a local cluster.