Assessing the security of Docker in Kubernetes (+Rancher)
Question
I have assessed the security configuration of Docker containers within a Kubernetes cluster using docker-bench . I have noted that all Kubernetes containers such as
kube-proxy
kubelet
kube-apiserver
k8s_kube-flannel_canal
k8s_POD_canal
k8s_trident-main_trident-csi
...
run as root . Is this necessary?
Furthermore, some Kubernetes containers, such as k8s_trident-main_trident , kube-proxy and kubelet ran in privileged mode. I guess this is necessary for Kubernetes to work properly.
My question is: how do you properly assess the security configuration of Docker in Kubernetes? I understand that most settings are covered by Kubernetes, such as CPU/memory usage, PID cgroup limit and health checks. However, now I don't know if I can say anything about the security configuration of Docker when it's managed through Kubernetes and Rancher (RancherOS is also used). Reframing the previous question: what are steps/controls that should be taken to harden Docker in addition to hardening Kubernetes?
1 answers
solution1
0 2020-02-14 19:45:02
...run as root. Is this necessary?
If some of them do, you can assume there should be quite a good reason for that. I believe that creators of kubernetes are quite familiar with the concept of least privilege principle . So I would say: yes, most probably it is necessary to be able to perform required operations on the node system. However it can be discussed as for example here .
Does eg kubeadm really need root privileges ? Well... to be able to perform all the required operations, yes. Compare with this answer.
However ideas about running the whole kubernetes cluster as non-root user also arise. I found an interesting presentation discussing this concept.
You touched really broad topic in your question and it is impossible to provide a single proper answer. I would say it's rather material for an extensive blog article or even e book (compare with this one ).
Furthermore, some Kubernetes containers, such as
k8s_trident-main_trident,kube-proxyandkubeletran in privileged mode. I guess this is necessary for Kubernetes to work properly.
If you want your containers to be able to perform also certain operations on host system, privileged mode cannot be avoided.
You may also want to familiarize with the following articles in official kubernetes documentation:
https://kubernetes.io/docs/concepts/security/overview/
https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/
I hope it helps.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.