[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Security implications of "runAsUser: type: RunAsAny"



As root, you have access to some of the kernel devices.  Generally
that means you can do *anything* to the system because a number of
core kernel resources are not namespaced.  A good example is
http://www.projectatomic.io/blog/2014/09/yet-another-reason-containers-don-t-contain-kernel-keyrings/

Some of this will be improved once user namespaces land in Docker, but
until then being able to run as uid 0 (root) inside a container is
basically giving your users access to run as root on the host machine.


On Tue, Oct 27, 2015 at 5:32 PM, v <vekt0r7 gmx net> wrote:
> Hey
>
> Could you give me an example of the dangerous things that people could do to the nodes in my cluster with "type: RunAsAny"?
>
> I am not sure how much nasty stuff people could do with that. We should have SELinux type enforcement and MCS labels to keep the pods in check.
>
> regards
> v
>
> Am 2015-10-27 um 17:44 schrieb Clayton Coleman:
>> If you relax restricted for all users, then yes, anyone who can oc
>> login can run as root on your cluster.
>>
>> On Tue, Oct 27, 2015 at 12:21 PM, "Gerhard Müller" <vekt0r7 gmx net> wrote:
>>> Hello
>>>
>>> I am trying to understand the security implications of doing "oc edit scc"
>>> and using
>>>   runAsUser:
>>>     type: RunAsAny
>>> for "name: restricted".
>>>
>>> This makes it possible for pods in openshift to have processes inside them
>>> that run as root. If I set this for "name: restricted" most of the
>>> containers from docker.io will run in OpenShift... which is very useful.
>>> Will the people who login to the cluster via "oc login" be able to do funny
>>> things if the restricted pods have "type: RunAsAny"?
>>>
>>> regards
>>> v
>>>
>>> _______________________________________________
>>> users mailing list
>>> users lists openshift redhat com
>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>>
>> _______________________________________________
>> users mailing list
>> users lists openshift redhat com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
> _______________________________________________
> users mailing list
> users lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]