KEP-3636 CSI Drivers in Windows as HostProcess Pods #3641
Conversation
k8s-ci-robot
added
cncf-cla: yes
mauriciopoppe
force-pushed
the
csi-proxy-host-process-container
branch
2 times, most recently
from
edbe2bc to
8cfda48
Compare
mauriciopoppe
changed the title
mauriciopoppe
force-pushed
the
csi-proxy-host-process-container
branch
3 times, most recently
from
ddd8336 to
7eeaac8
Compare
|
/sig storage |
k8s-ci-robot
added
the
sig/storage
|
/cc @jingxu97 |
mauriciopoppe
force-pushed
the
csi-proxy-host-process-container
branch
from
7eeaac8 to
53b68cf
Compare
mauriciopoppe
force-pushed
the
csi-proxy-host-process-container
branch
from
53b68cf to
5d34ce0
Compare
There was a problem hiding this comment.
Hey @mauriciopoppe, was nice meeting you briefly at KubeCon. Just some minor comments.
From the code PR, "The named pipes are not protected, this means that not only CSI Drivers but any Windows workload can mount them and execute privileged storage operations (imagine a workload reformatting the volume of another workload ). This is a current problem as of now." I think this is the case for any Pod that mounts a hostPath, windows or otherwise. I guess filesystem permissions help here?
We should mention that hostProcess support is going stable in k8s 1.26 and requires containerd 1.7 (unreleased) as mentioned in the SIG Windows update at KubeCon.
Maybe mention for those that will need to make the conversion about the new small host process base image. bit.ly/hpc-base-image
| ``` | ||
|
|
||
| - Both the baseline and restricted Pod Security Standards disallows the creation of HPC pods (docs). | ||
| - Create a Windows user with limited permissions to create files under the kubelet controlled path `C:\var\lib\kubelet` |
There was a problem hiding this comment.
| - Create a Windows user with limited permissions to create files under the kubelet controlled path `C:\var\lib\kubelet` | |
| - Create a Windows group with limited permissions to create files under the kubelet controlled path `C:\var\lib\kubelet` and set the `runAsUserName` in the pod spec to that group |
see more details under https://github.com/kubernetes/enhancements/tree/master/keps/sig-windows/1981-windows-privileged-container-support#container-users
You're right on it being a problem in Linux too, I've updated the security part so that there's a suggested workflow for Cluster Administrators to determine the workload privileges per namespace using Pod Security Standards.
Good points, I'll add them to the doc |
|
@k8s-triage-robot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/reopen |
|
@msau42: Reopened this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
removed
the
lifecycle/rotten
|
@mauriciopoppe @msau42 any updates on this? |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
|
The Kubernetes project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
k8s-ci-robot
added
lifecycle/rotten
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close |
|
@k8s-triage-robot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/reopen |
|
@mauriciopoppe: Reopened this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: mauriciopoppe The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/remove-lifecycle rotten |
k8s-ci-robot
removed
the
lifecycle/rotten
|
The Kubernetes project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
k8s-ci-robot
added
lifecycle/rotten
/cc @msau42 @ddebroy @jingxu97