Reputation: 2932
The K8s documentation has an example for a restricted PodSecurityPolicy:
https://kubernetes.io/docs/concepts/policy/pod-security-policy/#example-policies
It restricts 'supplementalGroups' and 'fsGroup' but not 'runAsGroup'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
Therefore it allows a container in the securityContext to specify the root group with id 0. Isn't this a problem? Shouldn't the following
runAsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
be added to a restrictive PodSecruityPolicy?
Upvotes: 1
Views: 357
Reputation: 61699
Shouldn't the following...be added to a restrictive PodSecruityPolicy?
It's an option to restrict your primary group, if you don't have it then your primary group will not be restricted. So basically, pods can still run containers as the root Group: 0
.
supplementalGroups
means any additional group added to the user besides the primary group (secondary groups). In *nix systems 🖥️ you can have a process run as belonging to a primary group and a set of limited secondary groups.
✌️
Upvotes: 1