multus-cni
multus-cni copied to clipboard
k8snetworkplumbingwg
allowPrivilegeEscalation vs privileged
Hello
microk8s supports multus as an addon and I've just noticed that it sets up multus with the security context allowPrivilegeEscalation instead of privileged: https://github.com/canonical/microk8s-community-addons/blob/309e626be7bcc377cc9fc2f3927bad0f0b2451b8/addons/multus/multus.yaml#L127=
From my understanding it seems that allowPrivilegeEscalation is tighter, so maybe it's a better idea to limit the pod privileges to this setting? Or maybe we could get rid of it any security context as I'm not sure that multus really needs one, from what I understand it just installs the multus binary and generates the proper CNI configuration on some directories shared by the host.
This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 7 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 7 days.
This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 7 days.
Looking the latest one, they uses privileged for that again. This is because we need it than allowPrivilegeEscalation.
https://github.com/canonical/microk8s-community-addons/blob/main/addons/multus/multus.yaml#L155-L156
At least to copy the multus binary we need privileged.
