spark-operator icon indicating copy to clipboard operation
spark-operator copied to clipboard

Published 20 hours ago verified publisher icon kubeflow

high-privilege service account in Driver Pods cause attack

Open tingweiwu opened this issue 2 years ago • 2 comments

About the Service Account for Driver Pods

Use the service account in driver pod, you can create pod with any spec.

If PodSecurityPolicy or PodSecurityAdmission is not restricted, attacker can directly create a permission container mount machine shares the host namespace and directly obtains the computing node control permission. Even though PodSecurityPolicy or PodSecurityAdmission is restricted, may cause number of unrelated pods created

is there any suggestions for security protection?

is there a way to restrict the creation of pods by user code, or restrict executor pod spec which craete by driver pod

tingweiwu avatar Aug 08 '23 03:08 tingweiwu

+1

0marq avatar Oct 16 '23 08:10 0marq

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] avatar Aug 14 '24 04:08 github-actions[bot]