[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Security implications of "runAsUser: type: RunAsAny"



Hey

Could you give me an example of the dangerous things that people could do to the nodes in my cluster with "type: RunAsAny"?

I am not sure how much nasty stuff people could do with that. We should have SELinux type enforcement and MCS labels to keep the pods in check.

regards
v

Am 2015-10-27 um 17:44 schrieb Clayton Coleman:
> If you relax restricted for all users, then yes, anyone who can oc
> login can run as root on your cluster.
>
> On Tue, Oct 27, 2015 at 12:21 PM, "Gerhard Müller" <vekt0r7 gmx net> wrote:
>> Hello
>>
>> I am trying to understand the security implications of doing "oc edit scc"
>> and using
>>   runAsUser:
>>     type: RunAsAny
>> for "name: restricted".
>>
>> This makes it possible for pods in openshift to have processes inside them
>> that run as root. If I set this for "name: restricted" most of the
>> containers from docker.io will run in OpenShift... which is very useful.
>> Will the people who login to the cluster via "oc login" be able to do funny
>> things if the restricted pods have "type: RunAsAny"?
>>
>> regards
>> v
>>
>> _______________________________________________
>> users mailing list
>> users lists openshift redhat com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
> _______________________________________________
> users mailing list
> users lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]