[jira] [Commented] (YUNIKORN-3132) Pod & Container Security Context for placeholder pods to be hardened

[Wilfred Spiegelenburg (Jira)]

    [ 
https://issues.apache.org/jira/browse/YUNIKORN-3132?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18030191#comment-18030191
 ] 

Wilfred Spiegelenburg commented on YUNIKORN-3132:
-------------------------------------------------

A placeholder pod is a pause pod. It does not have anything  in it as it really 
does nothing. It calls to register interrupt handler and then tells the kernel 
to park it indefinitely. There is no shell or nothing in there, the base image 
is scratch for linux which means no OS at all. See [pause image 
K8s|[https://github.com/kubernetes/kubernetes/tree/master/build/pause]]

The docker image specifies the user/group 65535/65535. We probably want to 
change the user/group to 65535/65535 like the original image does.

fsGroup: not relevant as the pause pod does not mount volumes

The rest should not form an issue at all. Openshift for instance already 
applies some of those on the fly via its security settings.

Please open a PR for the changes

> Pod & Container Security Context for placeholder pods to be hardened
> --------------------------------------------------------------------
>
>                 Key: YUNIKORN-3132
>                 URL: https://issues.apache.org/jira/browse/YUNIKORN-3132
>             Project: Apache YuniKorn
>          Issue Type: Improvement
>          Components: shim - kubernetes
>            Reporter: Shubham Mishra
>            Assignee: Shubham Mishra
>            Priority: Major
>
> Currently the security context for placeholder pods only sets non root user 
> and groups - 
> [https://github.com/apache/yunikorn-k8shim/blob/master/pkg/cache/placeholder.go#L100]
> {code:java}
> Spec: v1.PodSpec{ SecurityContext: &v1.PodSecurityContext{ RunAsUser:  
> &runAsUser, RunAsGroup: &runAsGroup, },{code}
> In many enterprise secure environments, this might not be enough and should 
> be more restrictive by design (unless it breaks any functionality).
> Proposing to modify the placeholder.go to add following 
>  - *podSecurityContext:*
> {code:java}
> podSecurityContext:
>     fsGroup:3000
>     runAsGroup:3000
>     runAsNonRoot: true
>     runAsUser:1000{code}
>  * *containerSecurityContext:*
> {code:java}
> containerSecurityContext:
>     privileged: false
>     allowPrivilegeEscalation: false
>     readOnlyRootFilesystem: true
>     capabilities:
>         drop:
>           -all{code}
>  * *hostNetwork: false*



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@yunikorn.apache.org
For additional commands, e-mail: issues-h...@yunikorn.apache.org