deployments-k8s icon indicating copy to clipboard operation
deployments-k8s copied to clipboard

Published 20 hours ago verified publisher icon networkservicemesh

K8S PSS restricted profile support

Open glazychev-art opened this issue 1 year ago • 0 comments

Overview

This is a continuation of this issue - https://github.com/networkservicemesh/deployments-k8s/issues/9218

Current state: PSS has 3 profiles - Privileged, Baseline and Restricted.

  1. Privileged works, because it has no restrictions.
  2. Baseline also works, since the main limitation is the use of hostPath, and this will be fixed by the NSM CSI driver
  3. Restricted - it has many limitations - https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted We fixed one issue - Livelinesschecker now works in non-privileged mode. And that's enough for a basic example.

But we have other problems with restricted profile:

  • Local DNS Server on the NSC. We have denied access to edit /etc/resolv.conf, as well as the use of the :53 port.
  • VL3 DNS probably has the same problems
  • VPP applications also cannot be used, because vpphelper also needs rights (mkdir /etc/vpp/helper: permission denied) (possible solution - comment)
  • other issues not yet found.

See: https://github.com/networkservicemesh/deployments-k8s/issues/9218#issuecomment-1598818058

glazychev-art avatar Jul 10 '23 06:07 glazychev-art