Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

run control-plane as non-root #2473

Open
11 of 16 tasks
neolit123 opened this issue May 10, 2021 · 29 comments
Open
11 of 16 tasks

run control-plane as non-root #2473

neolit123 opened this issue May 10, 2021 · 29 comments
Assignees
Labels
area/security kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.
Milestone

Comments

@neolit123
Copy link
Member

neolit123 commented May 10, 2021

KEP
https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/kubeadm/2568-kubeadm-non-root-control-plane
k/e issue: kubernetes/enhancements#2568

This KEP proposes that the control-plane in kubeadm be run as non-root. If containers are running as root an escape from a container may result in the escalation to root in host. CVE-2019-5736 is an example of a container escape vulnerability that can be mitigated by running containers/pods as non-root.

kubeadm feature gate is called RootlessControlPlane

ALPHA 1.22:

BETA x.yy:
on hold until further notice we are watching the user namespaces KEP:
kubernetes/enhancements#3065

@neolit123 neolit123 added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. area/security kind/feature Categorizes issue or PR as related to a new feature. labels May 10, 2021
@neolit123 neolit123 added this to the v1.22 milestone May 10, 2021
@neolit123
Copy link
Member Author

/assign vinayakankugoyal

@neolit123
Copy link
Member Author

cc @vinayakankugoyal

@kubernetes kubernetes deleted a comment from k8s-ci-robot May 10, 2021
@vinayakankugoyal
Copy link
Contributor

vinayakankugoyal commented May 10, 2021

/assign vinayakankugoyal

I don't think this can be assigned to me because I am not a kubernetes org member. But to anyone following this bug, I will be working on it.

@vinayakankugoyal
Copy link
Contributor

Can we update the
add feature gate: link in the description above to kubernetes/kubernetes#102158

@neolit123
Copy link
Member Author

@vinayakankugoyal https://kubernetes.io/blog/2019/01/15/container-storage-interface-ga/#how-to-use-a-csi-volume
if the rootless kubeadm apiserver eventually becomes ON by default, would it break CSI driver users?

@vinayakankugoyal
Copy link
Contributor

@vinayakankugoyal https://kubernetes.io/blog/2019/01/15/container-storage-interface-ga/#how-to-use-a-csi-volume
if the rootless kubeadm apiserver eventually becomes ON by default, would it break CSI driver users?

no because it is not the kube-apiserver that needs to run as privileged pod, it is the csi driver that needs to run as privileged pod. --allow-privileged=true allows privileged containers it does not make kube-apiserver's container privileged. (Same for kubelet but that is anyways out of scope of this KEP.)

@vinayakankugoyal
Copy link
Contributor

/assign vinayakankugoyal

@vinayakankugoyal
Copy link
Contributor

Can we update e2e section above with PR: #2511

@neolit123
Copy link
Member Author

our e2e for this feature started failing yesterday. i have no explanation for the time being. but i don't think it's a kubeadm problem, so maybe something in core?
#2750

@pacoxu
Copy link
Member

pacoxu commented Nov 3, 2022

our e2e for this feature started failing yesterday. i have no explanation for the time being. but i don't think it's a kubeadm problem,
so maybe something in core? #2750

Yes

kubernetes/kubernetes#113548 may fix it. (a revert of kubernetes/kubernetes#113408 that was merged hours before that. )

@neolit123
Copy link
Member Author

it looks like the job has been green for a while, so maybe something else fixed it. the failures were in late august. i completely forgot about this..

https://k8s-testgrid.appspot.com/sig-cluster-lifecycle-kubeadm#kubeadm-kinder-rootless-latest

@pacoxu
Copy link
Member

pacoxu commented Nov 3, 2022

I opened the test grid(You post months ago) and find it failed yesterday(😓).

kubernetes/kubernetes#113548 may fix it. (a revert of kubernetes/kubernetes#113408 that was merged hours before that. )

Yesterday's failure is caused by that. Not failures in August.😄

@neolit123 neolit123 modified the milestones: v1.26, v1.27 Nov 21, 2022
@neolit123 neolit123 modified the milestones: v1.27, v1.28 Apr 17, 2023
@pacoxu pacoxu modified the milestones: v1.28, v1.29 Jul 19, 2023
@sftim
Copy link

sftim commented Aug 28, 2023

Is this actually important-longterm? It's been a few years.

@pacoxu
Copy link
Member

pacoxu commented Aug 31, 2023

/remove-priority important-soon

Is this actually important-longterm? It's been a few years.

This feature is an alternative way for the user namespace feature. As we prefer to use the user namespace to gain the security control plane in the future, we decided to not promote this one to beta. But we should keep this FG until user namespace kubernetes/enhancements#127 is beta.

@k8s-ci-robot k8s-ci-robot removed the priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. label Aug 31, 2023
@pacoxu pacoxu added the priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. label Aug 31, 2023
@pacoxu pacoxu modified the milestones: v1.29, Next Aug 31, 2023
@pacoxu
Copy link
Member

pacoxu commented Mar 26, 2024

kubernetes/enhancements#127
User Namespace is beta in v1.30. We may start the deprecation of RootlessControlPlane in v1.31.

@LyKos4
Copy link

LyKos4 commented Sep 5, 2024

Is this expected to be completed? For which pods it is expected to change the user to non root?

@neolit123
Copy link
Member Author

neolit123 commented Sep 5, 2024

Is this expected to be completed? For which pods it is expected to change the user to non root

this feature is alpha and deprecated. please use UserNamespaces instead:
kubernetes/enhancements#127

once UserNamespaces becomes GA kubeadm will enable it by default.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/security kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.
Projects
None yet
Development

No branches or pull requests

7 participants