Ronald
Ronald

Reputation: 2932

Why does the k8s example restricted PodSecurityPolicy not restricting RunAsGroup?

The K8s documentation has an example for a restricted PodSecurityPolicy:

https://kubernetes.io/docs/concepts/policy/pod-security-policy/#example-policies

It restricts 'supplementalGroups' and 'fsGroup' but not 'runAsGroup'

  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
      # Forbid adding the root group.
      - min: 1
        max: 65535
  fsGroup:
    rule: 'MustRunAs'
    ranges:
      # Forbid adding the root group.
      - min: 1
        max: 65535

Therefore it allows a container in the securityContext to specify the root group with id 0. Isn't this a problem? Shouldn't the following

  runAsGroup:
    rule: 'MustRunAs'
    ranges:
      # Forbid adding the root group.
      - min: 1
        max: 65535

be added to a restrictive PodSecruityPolicy?

Upvotes: 1

Views: 357

Answers (1)

Rico
Rico

Reputation: 61699

Shouldn't the following...be added to a restrictive PodSecruityPolicy?

It's an option to restrict your primary group, if you don't have it then your primary group will not be restricted. So basically, pods can still run containers as the root Group: 0.

supplementalGroups means any additional group added to the user besides the primary group (secondary groups). In *nix systems 🖥️ you can have a process run as belonging to a primary group and a set of limited secondary groups.

✌️

Upvotes: 1

Related Questions