Reputation: 2932
Why does the k8s example restricted PodSecurityPolicy not restricting RunAsGroup?
The K8s documentation has an example for a restricted PodSecurityPolicy:
https://kubernetes.io/docs/concepts/policy/pod-security-policy/#example-policies
It restricts 'supplementalGroups' and 'fsGroup' but not 'runAsGroup'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
Therefore it allows a container in the securityContext to specify the root group with id 0. Isn't this a problem? Shouldn't the following
runAsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
be added to a restrictive PodSecruityPolicy?
Upvotes: 1
Views: 357
Answers (1)
Reputation: 61699
Shouldn't the following...be added to a restrictive PodSecruityPolicy?
It's an option to restrict your primary group, if you don't have it then your primary group will not be restricted. So basically, pods can still run containers as the root Group: 0.
supplementalGroups means any additional group added to the user besides the primary group (secondary groups). In *nix systems 🖥️ you can have a process run as belonging to a primary group and a set of limited secondary groups.
✌️
Upvotes: 1
Related Questions
- How do i know which pods are covered by a network policy in k8s
- Why cant I configure POD-level securityContext settings to be applied to all underlying Containers?
- k8s access control to single pod
- why does a service account can create pods when it's not allowed in kubernetes?
- Minikube: Restricted PodSecurityPolicy is not restricting when trying to create a privileged container
- k8s securityContext bypass
- Pod Security Policy not working as intended
- Kubernetes security context runAsUser
- Configuring PodSecurityPolicy on a kubeadm cluster
- Kubernetes isn't allowing me to create a pod with securityContext runAsUser