Document security restrictions (eg AppArmor) in Pods concept #39601
Comments
sftim
added
the
kind/feature
k8s-ci-robot
added
sig/security
|
This should be a fun time Since we already talk about privileged mode on the Pods page I agree that it's important to talk about the security constraints that you can place on containers. I also agree that a standalone page that discusses container isolation strategies and kernel-level security measures would be a good addition to our docs. /triage accepted |
k8s-ci-robot
added
triage/accepted
|
As a first step, I'll find out if this information exists across our current docs (it definitely does) and draft up a plan for changes. |
|
The framing here should be:
|
|
Thanks @shannonxtreme If you're willing to focus first on the minimum viable change that can allow seccomp and AppArmor to graduate with docs in place, that'll help. It does mean more overall work if you then revisit things to make a larger improvement. Sorry about that. |
|
Going through the current content it feels disconnected talking about Privileged mode, without not mentioning isolation levels. For someone starting their learning journey it may be hard to understand what that really means. In my opinion, the existing |
|
Agreed that it's a bit out of place there. We already have https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ so I wonder how that fits... Regardless for the mvp for this issue I'll focus on a smaller scope to meet the requirements here and then we can fiddle and improve |
|
Planned here: https://docs.google.com/document/d/1QRNYpBL-gLhNKkvizu5CzCddP5K4rzs3YmfSL4z2IKE/edit?usp=sharing @sftim @pjbgf I'd appreciate reviews on the scope so that I can do a draft and get that reviewed |
|
I drafted the MVP of that page: https://docs.google.com/document/d/1QRNYpBL-gLhNKkvizu5CzCddP5K4rzs3YmfSL4z2IKE/edit#heading=h.x36r4r3h4evh It's missing some info that I am not sure about |
|
I'd be happy to see a PR anyway. |
|
Still working on this, will send a PR soon |
|
@shannonxtreme would you like any help here? |
|
@sftim I'll open a draft PR in the coming days. One final ish question: The content in https://kubernetes.io/docs/concepts/security/security-checklist/#enabling-seccomp (the seccomp and Apparmor/SELinux sections) are a summary basically of the content in this new page. Think it's a good idea to remove that bulk from the checklist page and link to the new page to learn more? |
|
@kbhawkey @onlydole @tengqm I'd really like to hear your thoughts on Shannon's question in #39601 (comment) |
|
Security has been one of the top concerns for a few years when people start evaluating k8s. |
If #43176 merges first, we could build on that. Thoughts there? |
|
I agree - we can expand that page or work it into a more use case based signposting topic. Some considerations though:
Maybe we can create a follow-up issue for this and discuss the actual presentation of that information there? |
|
@shannonxtreme Maybe we can draft a toc for this on google docs for discussion? |
|
@tengqm sounds good to me, we should probably also create a backlog issue for tracking purposes (I can do it later today I'm away from my computer still waking up 😂) |
|
Relevant to #45471 |
|
We can now link from the Pod concept to https://kubernetes.io/docs/concepts/security/cloud-native-security/#protection-runtime-compute |
This is a Feature Request
What would you like to be added
The Pods section doesn't mention that you can run Pods with AppArmor / seccomp / whatever to constrain the container.
Why is this needed
Although we have tutorials that explain the concepts in the manner of a walkthough, having a concept guide is important too.
It's OK if the mention within https://kubernetes.io/docs/concepts/workloads/pods/ is more like a signpost: a hyperlink to another page such as https://kubernetes.io/docs/concepts/security/container-sandboxing/ (which doesn't exist).
Comments
/sig security
Relevant to kubernetes/enhancements#24
Relevant to kubernetes/enhancements#135
The text was updated successfully, but these errors were encountered: