Comments (8)
In addition I am wondering whether we could tighten up the privileged container access by removing some of the unneeded Linux capabilities to help reduce the scope of the container?
from kured.
There hasn't been any activity on this in a while but do we know what the minimum set of requirements for the container to run are? Ideally we shouldn't have to run it as root.
from kured.
@kfox1111 no plans to add a separate service in this project.
Making the locked object independent of the daemonset seems like a good idea - could be a runtime parameter?
from kured.
I think this might be partially linked to #25
from kured.
I have a PoC code that uses the NodeRestriction Admission controller [1], but sadly I had to map the host's kubelet conf and certs into the container, which means that it probably has more access than before... (secrets?). So that's probably not a good idea.
Does anyone have a better idea, that doesn't involve writing a new service/operator?
from kured.
That still sounds like it has better security then the existing solution. In the existing solution, you already have access to all the node's secrets as you can just tweak the deployment to give your pod access to the whole nodes filesystem. You can also tweak the deployment to give you access to other secrets in the same namespace it may not already have access to.
Long term, I'd like to see an option to restrict service accounts to nodes using the NodeRestriction Admission controller. This problem is not specific to kured, but csi drivers, cni drivers, some monitoring plugins, logging, etc all suffer from this same issue. This will need a KEP in Kubernetes.
from kured.
Totally agreed on the last bit.
from kured.
This issue was automatically considered stale due to lack of activity. Please update it and/or join our slack channels to promote it, before it automatically closes (in 7 days).
from kured.
Related Issues (20)
- Kured Helm hostNetwork problem HOT 2
- stderr/stdout of custom reboot command HOT 1
- Team Kured is looking for help! HOT 1
- [Feature request] Use cloud APIs to increase node pool size before reboots and decrease after HOT 6
- [Bug] The new dockerhub yaml is broken, ServiceAccount is declared twice HOT 2
- Add Support for Kubernetes 1.28.0
- Unable to receive teams notification. We have the http_proxy as environment variable in kured pod HOT 4
- HashiCorp license change to BSL HOT 2
- Lock TTL not being honored HOT 5
- Build fails on aarch64
- Kured pods crash looping on clusters running Cilium Network plugin HOT 2
- Kured pods are not deployed to all nodes having taints on it in AKS ckuster HOT 3
- KURED supportability of the 6.2 kernel version HOT 2
- kured cordon node before checking if just 1 up HOT 8
- [DOC] Make Control Plane use kured
- AKS Node not rebooted with lock held for not existing node HOT 11
- If a sentinel command is configured, it runs every minute. HOT 8
- path-based reboot mechanism HOT 5
- Reboot delay between two nodes HOT 4
- Retry reboot when the node is NotReady and still has SchedulingDisabled after the first reboot HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kured.