In OCP, it is possible to run privileged containers that have all of the root capabilities on a host machine, allowing the ability to access resources which are not accessible in ordinary containers. This, however, increases the security risk to the whole cluster. Containers should only request those privileges they need to run their legitimate functions. No containers will be allowed to run with full privileges without an exception.
The general guidelines are:
-
Only ask for the necessary privileges and access control settings for your application.
-
If the function required by your workload can be fulfilled by OCP components, your application should not be requesting escalated privilege to perform this function.
-
Avoid using any host system resource if possible.
-
Leveraging read only root filesystem when possible.
|
Important
|
Workload requirement
Only ask for the necessary privileges and access control settings for your application See test case access-control-security-context-non-root-user-check |
|
Important
|
Workload requirement
If the function required by your workload can be fulfilled by OCP components, your application should not be requesting escalated privilege to perform this function. See test case access-control-security-context-privilege-escalation |
|
Important
|
Workload requirement
Avoid using any host system resource. See test cases access-control-pod-host-ipc, access-control-pod-host-pid |
|
Important
|
Workload requirement
Do not mount host directories for device access. See test case access-control-pod-host-path |
|
Important
|
Workload requirement
Do not use host network namespace. See test case access-control-namespace |
|
Important
|
Workload requirement
Workloads may not modify the platform in any way. See test cases platform-alteration-base-image, platform-alteration-sysctl-config |