-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Narrow down the security profile of queue-proxy containers #9974
Narrow down the security profile of queue-proxy containers #9974
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Codecov Report
@@ Coverage Diff @@
## master #9974 +/- ##
=======================================
Coverage 87.78% 87.78%
=======================================
Files 183 183
Lines 8631 8631
=======================================
Hits 7577 7577
+ Misses 803 802 -1
- Partials 251 252 +1
Continue to review full report at Codecov.
|
Coming to think about it, maybe the QP actually has to have some caps to generate the socket to become ready 🤔 |
@markusthoemmes could we put it on a volume? 🤔 cc @julz |
@mattmoor yeah I'm just investigating what the smallest surface area is. Disabling the readOnlyFilesystem fixes things so that should be easyish to resolve. |
Volume might work, but thinking out loud that might up exposing more surface area (trade offs) because then eg the PodSecurityPolicy will need to allow that volume type. Also I think volumes are pod level so we have to be careful a user can't sneakily add a volumemount to their user container (admittedly we don't allow those.. yet) and get access to the socket :/ |
I would love us to be able to enable read-only filesystems though, to the extent that Im kind of regretting introducing the unix socket tbh :D |
@julz yeah, you're voicing exactly what my quick research brought 😂. I toyed adding an |
wonder if we could use an abstract socket and avoid the filesystem 🤔. downside: I think they're shared across the network namespace, in which case it'd be visible in user container :( - might be ok if it's only hosting a readiness endpoint, tho. |
I'll play with it a little more, meanwhile I guess we could ship this with a writeable filesystem for now and play with alternatives separately. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: julz, markusthoemmes, mattmoor The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
For the record: Abstract sockets seem to work, but I'd still like to keep the change separately so we can discuss sideeffects and stuff. |
Proposed Changes
Akin to our "main" deployments, this also narrows down the security surface of our queue-proxy containers. They shouldn't need any special capabilities.
Release Note
/assign @mattmoor @vagababov