Page MenuHomePhabricator
Create Task
Maniphest T112718

Write admission controller disabling mounting of unauthorized volumes
Closed, ResolvedPublic
Actions

Description

Pods should only be able to mount /data/project/, /data/scratch and /public (readonly). Nothing else.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
tools: Enable HostPathEnforcer admission controlleroperations/puppetproduction+17 -6
Customize query in gerrit

Related Objects
Search...

Event Timeline

yuvipanda created this task.Sep 16 2015, 3:00 AM
yuvipanda raised the priority of this task from to Needs Triage.
yuvipanda updated the task description. (Show Details)
yuvipanda added projects: Cloud-Services, Toolforge.
yuvipanda added subscribers: Joe, Aklapper, yuvipanda.
yuvipanda added a project: Labs-Sprint-115.Sep 21 2015, 5:14 PM
yuvipanda set Security to None.
yuvipanda claimed this task.Sep 28 2015, 7:04 AM
yuvipanda moved this task from To do to Doing on the Labs-Sprint-115 board.
yuvipanda added a project: labs-sprint-116.Sep 28 2015, 5:13 PM
valhallasw triaged this task as Low priority.Oct 4 2015, 11:52 AM
valhallasw subscribed.

Not sure if I agree with that. Projects can currently read other files on NFS if permissions allow, and I'm not sure if it should be different in k8s.

valhallasw moved this task from Backlog to Ready to be worked on on the Toolforge board.Oct 4 2015, 11:54 AM
yuvipanda raised the priority of this task from Low to Medium.Oct 4 2015, 5:07 PM

Sure! But they still should be disallowed from mounting /etc as rw on the host, since there are otherwise ways to compromise the host machine :)

yuvipanda updated the task description. (Show Details)Oct 4 2015, 5:07 PM
yuvipanda added a project: labs-sprint-117.Oct 5 2015, 5:02 PM
yuvipanda removed a project: labs-sprint-117.Oct 6 2015, 8:48 AM
yuvipanda added a project: labs-sprint-118.Oct 26 2015, 4:06 PM
yuvipanda removed yuvipanda as the assignee of this task.Nov 13 2015, 7:02 AM
yuvipanda added a comment.Nov 29 2015, 2:16 AM

I think T116504 solves this now - since you can mount host volumes as much as you want but they won't be running as root so you can't do much damage.

yuvipanda added a comment.Nov 29 2015, 2:16 AM

Need to verify this, of course.

yuvipanda closed this task as Resolved.Apr 12 2016, 7:27 PM
yuvipanda claimed this task.

Closed with https://phabricator.wikimedia.org/T116504 which is a more general and better solution.

yuvipanda reopened this task as Open.May 14 2016, 11:46 PM

This is actually necessary, since the containers still run with gid 0. Even though it doesn't have special privs unlike uid 0, lots of filesystem paths are owned by gid 0 and might accidentally be writeable by these. So let's write an admission controller to provide added defense in depth.

gerritbot subscribed.May 14 2016, 11:46 PM

Change 288808 had a related patch set uploaded (by Yuvipanda):
tools: Enable HostPathEnforcer admission controller

https://gerrit.wikimedia.org/r/288808

gerritbot added a project: Patch-For-Review.May 14 2016, 11:46 PM
yuvipanda closed this task as Resolved.May 18 2016, 2:47 PM

Done and deployed!

gerritbot added a comment.May 18 2016, 7:39 PM

Change 288808 merged by Yuvipanda:
tools: Enable HostPathEnforcer admission controller

https://gerrit.wikimedia.org/r/288808

yuvipanda mentioned this in rOPUPf56e71fa8147: tools: Enable HostPathEnforcer admission controller.May 18 2016, 7:42 PM
yuvipanda mentioned this in rOPUPe3551d5877ed: tools: Enable HostPathEnforcer admission controller.Jun 17 2016, 6:07 PM
yuvipanda mentioned this in rOPUP690893985d5a: tools: Enable HostPathEnforcer admission controller.
yuvipanda mentioned this in rOPUP409a0a2e7bc9: tools: Enable HostPathEnforcer admission controller.
Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:47 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits