summaryrefslogtreecommitdiff
path: root/security_context.md
diff options
context:
space:
mode:
Diffstat (limited to 'security_context.md')
-rw-r--r--security_context.md34
1 files changed, 17 insertions, 17 deletions
diff --git a/security_context.md b/security_context.md
index 8a6dd314..7a80c01d 100644
--- a/security_context.md
+++ b/security_context.md
@@ -48,55 +48,55 @@ The problem of securing containers in Kubernetes has come up [before](https://gi
### Container isolation
-In order to improve container isolation from host and other containers running on the host, containers should only be
-granted the access they need to perform their work. To this end it should be possible to take advantage of Docker
-features such as the ability to [add or remove capabilities](https://docs.docker.com/reference/run/#runtime-privilege-linux-capabilities-and-lxc-configuration) and [assign MCS labels](https://docs.docker.com/reference/run/#security-configuration)
+In order to improve container isolation from host and other containers running on the host, containers should only be
+granted the access they need to perform their work. To this end it should be possible to take advantage of Docker
+features such as the ability to [add or remove capabilities](https://docs.docker.com/reference/run/#runtime-privilege-linux-capabilities-and-lxc-configuration) and [assign MCS labels](https://docs.docker.com/reference/run/#security-configuration)
to the container process.
Support for user namespaces has recently been [merged](https://github.com/docker/libcontainer/pull/304) into Docker's libcontainer project and should soon surface in Docker itself. It will make it possible to assign a range of unprivileged uids and gids from the host to each container, improving the isolation between host and container and between containers.
### External integration with shared storage
-In order to support external integration with shared storage, processes running in a Kubernetes cluster
-should be able to be uniquely identified by their Unix UID, such that a chain of ownership can be established.
+In order to support external integration with shared storage, processes running in a Kubernetes cluster
+should be able to be uniquely identified by their Unix UID, such that a chain of ownership can be established.
Processes in pods will need to have consistent UID/GID/SELinux category labels in order to access shared disks.
## Constraints and Assumptions
-* It is out of the scope of this document to prescribe a specific set
+* It is out of the scope of this document to prescribe a specific set
of constraints to isolate containers from their host. Different use cases need different
settings.
-* The concept of a security context should not be tied to a particular security mechanism or platform
+* The concept of a security context should not be tied to a particular security mechanism or platform
(ie. SELinux, AppArmor)
* Applying a different security context to a scope (namespace or pod) requires a solution such as the one proposed for
[service accounts](service_accounts.md).
## Use Cases
-In order of increasing complexity, following are example use cases that would
+In order of increasing complexity, following are example use cases that would
be addressed with security contexts:
1. Kubernetes is used to run a single cloud application. In order to protect
nodes from containers:
* All containers run as a single non-root user
* Privileged containers are disabled
- * All containers run with a particular MCS label
+ * All containers run with a particular MCS label
* Kernel capabilities like CHOWN and MKNOD are removed from containers
-
+
2. Just like case #1, except that I have more than one application running on
the Kubernetes cluster.
* Each application is run in its own namespace to avoid name collisions
* For each application a different uid and MCS label is used
-
-3. Kubernetes is used as the base for a PAAS with
- multiple projects, each project represented by a namespace.
+
+3. Kubernetes is used as the base for a PAAS with
+ multiple projects, each project represented by a namespace.
* Each namespace is associated with a range of uids/gids on the node that
- are mapped to uids/gids on containers using linux user namespaces.
+ are mapped to uids/gids on containers using linux user namespaces.
* Certain pods in each namespace have special privileges to perform system
actions such as talking back to the server for deployment, run docker
builds, etc.
* External NFS storage is assigned to each namespace and permissions set
- using the range of uids/gids assigned to that namespace.
+ using the range of uids/gids assigned to that namespace.
## Proposed Design
@@ -109,7 +109,7 @@ to mutate Docker API calls in order to apply the security context.
It is recommended that this design be implemented in two phases:
-1. Implement the security context provider extension point in the Kubelet
+1. Implement the security context provider extension point in the Kubelet
so that a default security context can be applied on container run and creation.
2. Implement a security context structure that is part of a service account. The
default context provider can then be used to apply a security context based
@@ -137,7 +137,7 @@ type SecurityContextProvider interface {
}
```
-If the value of the SecurityContextProvider field on the Kubelet is nil, the kubelet will create and run the container as it does today.
+If the value of the SecurityContextProvider field on the Kubelet is nil, the kubelet will create and run the container as it does today.
### Security Context
generated by cgit v1.2.3 (git 2.25.1) at 2026-02-26 11:33:51 +0000