remove unnecessary capabilities to adhere to PoLP #35
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
**Background** The Gremlin Agent Daemonset exposes various capabilities needed to: 1. carry out attacks within the Daemonset pods 2. carry out container initialization operations like entering the net/pid namespaces of other containers 3. appease [the default container spec][ociruntimetool] provided by our 3rd party libraries (even when it contains capabilities we do not need) Gremlin should try to always adhere to the principle of least privilege (PoLP), and so the capabilities that fall under #3 should be removed. This will require a new agent release. **Change** * Remove capabilities Gremlin does not need when it no longer leverages the capabilities provided by oci-runtime-tool's default capabilities set. **Testing** - [ ] test on openshift 3.x - [ ] test on openshift 4.x - [ ] test on plain crio-based cluster - [ ] test on plain containerd-based cluster [ociruntimetool]: https://github.com/opencontainers/runtime-tools/blob/59cdde06764be8d761db120664020f0415f36045/generate/generate.go#L92
|
This change is awaiting testing on OpenShift. The Gremlin agent has already been updated to no longer need these capabilities. Anyone that wishes to launch Gremlin without the required caps can do so by supplying these args explicitly: --set gremlin.podSecurity.capabilities[0]=KILL \
--set gremlin.podSecurity.capabilities[1]=NET_ADMIN \
--set gremlin.podSecurity.capabilities[2]=SYS_BOOT \
--set gremlin.podSecurity.capabilities[3]=SYS_TIME \
--set gremlin.podSecurity.capabilities[4]=SYS_ADMIN \
--set gremlin.podSecurity.capabilities[5]=SYS_PTRACE \
--set gremlin.podSecurity.capabilities[6]=SYS_CHROOT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Background
The Gremlin Agent Daemonset exposes various capabilities needed to:
Gremlin should try to always adhere to the principle of least privilege (PoLP), and so the capabilities that fall under
#3should be removed. This will require a new agent release.Change
Testing