-
Notifications
You must be signed in to change notification settings - Fork 5.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Jess Frazelle <[email protected]>
- Loading branch information
Showing
1 changed file
with
50 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| # CRI: RawProc Option | ||
|
|
||
| ## Background | ||
|
|
||
| Currently the way docker and most other container runtimes work is by masking | ||
| and setting as read-only certain paths in `/proc`. This is to prevent data | ||
| from being exposed into a container that should not be. However, there are | ||
| certain use-cases where it is necessary to turn this off. | ||
|
|
||
| ## Motivation | ||
|
|
||
| For end-users who would like to run unprivileged containers using user namespaces | ||
| _nested inside_ CRI containers, we need an option to have a `RawProc`. That is, | ||
| to explicitly turn off masking and setting read-only of paths so that we can | ||
| mount `/proc` in the nested container as an unprivileged user. | ||
|
|
||
| Please see the following filed issues for more information: | ||
| - [opencontainers/runc#1658](https://github.com/opencontainers/runc/issues/1658#issuecomment-373122073) | ||
| - [moby/moby#36597](https://github.com/moby/moby/issues/36597) | ||
| - [moby/moby#36644](https://github.com/moby/moby/pull/36644) | ||
|
|
||
| **NOTE:** This option really only makes sense for when a user is nesting | ||
| unprivileged containers with user namespaces as it will allow more information | ||
| than is necessary to the program running in the container spawned by | ||
| kubernetes. | ||
|
|
||
| The main use case for this option is to run | ||
| [genuinetools/img](https://github.com/genuinetools/img) inside a kubernetes | ||
| container. That program then launches sub-containers that take advantage of | ||
| user namespaces and re-mask /proc and set /proc as read-only. So therefore | ||
| there is no concern with having a raw proc open in the top level container. | ||
|
|
||
| ## Implementation | ||
|
|
||
| This proposal suggests adding the following to `bool` `LinuxSandboxSecurityContext`: | ||
|
|
||
| ``` | ||
| bool raw_proc | ||
| ``` | ||
|
|
||
| Which will inform the runtimes implementing CRI to not mask or set as read-only | ||
| the paths in `/proc`. | ||
|
|
||
| This option would also be exposed as a `bool` to the `securityContext` for | ||
| containers in the form of `rawProc`. | ||
|
|
||
| It will be false by default. | ||
|
|
||
| This will also add a `AllowRawProc` to the `PodSecurityPolicy` to allow | ||
| administrators to cut off the use of containers settings `RawProc`. |