Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

remove unnecessary capabilities to adhere to PoLP #35

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

philgebhardt
Copy link
Contributor

@philgebhardt philgebhardt commented May 28, 2021

Background

The Gremlin Agent Daemonset exposes various capabilities needed to:

  1. carry out attacks within the Daemonset pods
  2. carry out container initialization operations like entering the net/pid namespaces of other containers
  3. appease the default container spec provided by our 3rd party libraries (even when it contains capabilities we do not need)

Gremlin should try to always adhere to the principle of least privilege (PoLP), and so the capabilities that fall under #3 should be removed. This will require a new agent release.

Change

  • Remove capabilities Gremlin does not need when it no longer leverages the capabilities provided by oci-runtime-tool's default capabilities set.

Testing

  • test on openshift 3.x
  • test on openshift 4.x
  • test on plain crio-based cluster
  • test on plain containerd-based cluster

**Background**

The Gremlin Agent Daemonset exposes various capabilities needed to:
1. carry out attacks within the Daemonset pods
2. carry out container initialization operations like entering the net/pid namespaces of other containers
3. appease [the default container spec][ociruntimetool] provided by our 3rd party libraries (even when it contains capabilities we do not need)

Gremlin should try to always adhere to the principle of least privilege (PoLP), and so the capabilities that fall under #3 should be removed. This will require a new agent release.

**Change**

* Remove capabilities Gremlin does not need when it no longer leverages the capabilities provided by oci-runtime-tool's default capabilities set.

**Testing**

- [ ] test on openshift 3.x
- [ ] test on openshift 4.x
- [ ] test on plain crio-based cluster
- [ ] test on plain containerd-based cluster

[ociruntimetool]: https://github.com/opencontainers/runtime-tools/blob/59cdde06764be8d761db120664020f0415f36045/generate/generate.go#L92
@philgebhardt philgebhardt requested a review from a team May 28, 2021 18:29
@philgebhardt
Copy link
Contributor Author

This change is awaiting testing on OpenShift. The Gremlin agent has already been updated to no longer need these capabilities. Anyone that wishes to launch Gremlin without the required caps can do so by supplying these args explicitly:

--set gremlin.podSecurity.capabilities[0]=KILL \
--set gremlin.podSecurity.capabilities[1]=NET_ADMIN \
--set gremlin.podSecurity.capabilities[2]=SYS_BOOT \
--set gremlin.podSecurity.capabilities[3]=SYS_TIME \
--set gremlin.podSecurity.capabilities[4]=SYS_ADMIN \
--set gremlin.podSecurity.capabilities[5]=SYS_PTRACE \
--set gremlin.podSecurity.capabilities[6]=SYS_CHROOT

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant