sig-storage-local-static-provisioner icon indicating copy to clipboard operation
sig-storage-local-static-provisioner copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

The local provisioner use hostPath behind the scene. Is it secure ?

Open raphaelpoumarede opened this issue 3 years ago • 5 comments

When looking closely at the code, I noticed that "hostPath" volume type was used (for example in this manifest : https://raw.githubusercontent.com/Azure/kubernetes-volume-drivers/master/local/local-pv-provisioner-nvmedisk.yaml).

The official Kubernetes documentation discourages the usage of the hostPath volume type because of the security risk. See the big Warning. Do you know if the security warning and risks only applies for direct "hostPath" from the pod or if it also applies when we use the local provisioner and a PVC ? If yes, would it be possible to modify the provided yaml to use the "local" volume type instead of hostPath ? Thanks for your feedback !

raphaelpoumarede avatar May 10 '22 09:05 raphaelpoumarede

this driver is based on hostPath and finally generates local type volume: https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner/blob/b5987962ca8c6f53415c4ad683ddea4cb274fec6/deployment/kubernetes/example/default_example_provisioner_generated.yaml#L60-L62

andyzhangx avatar May 10 '22 12:05 andyzhangx

Thank you Andy for your answer. So it means that when using this local-pv-provisioner project code we are not exposed to the direct "hostPath" security risks mentioned in the Kubernetes official documentation, right? thank you

raphaelpoumarede avatar May 10 '22 17:05 raphaelpoumarede

@raphaelpoumarede local-pv-provisioner project are using hostPath to discover all disks and finally generate local PV.

andyzhangx avatar May 11 '22 04:05 andyzhangx

@raphaelpoumarede I took some notes after discussing this item with our team:

  • These volumes are the important ones, /dev might be marked as read only but /mnt/disks might need write permissions because we need to support cleaning the data behind these volumes (2 ways of cleaning up data, rm -rf all the data in the filesystem or provide a custom cleanup job) you could try setting these as read only but we haven't tested that.
  • The container is already privileged (we did a blame but couldn't find if this was set for block volumes only) and therefore even after setting the volume mounts as read only we're not sure if the attack surface is reduced.

mauriciopoppe avatar May 11 '22 16:05 mauriciopoppe

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Aug 09 '22 16:08 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot avatar Sep 08 '22 17:09 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue with /reopen
  • Mark this issue as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

k8s-triage-robot avatar Oct 08 '22 17:10 k8s-triage-robot

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue with /reopen
  • Mark this issue as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Oct 08 '22 17:10 k8s-ci-robot