Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Need a version of this image which can run with non-root privileges #159

Open
ashok-e-singh opened this issue Jan 17, 2022 · 6 comments
Open

Need a version of this image which can run with non-root privileges #159

ashok-e-singh opened this issue Jan 17, 2022 · 6 comments
Labels
feature

Comments

@ashok-e-singh
Copy link

TL;DR

We need this container to run as non-root user.

Design

Proposal
Since its widely published that containers should run as non-root users, can we have a version of this which can run as non-root?

Alternatives considered
We have tried to add the user in the dockerbuild file using the USER command, but this wouldn't let the container run.

Resources

Additional information

No
@ashok-e-singh
Copy link
Author

Hi @tam7t ... Can you please answer this ?

@tam7t
Copy link
Contributor

tam7t commented Jan 20, 2022

This was not possible when the plugin was the process that actually wrote the files to disk. It may be possible now though there could be an issue creating the unix socket in the hostpath (required for the driver to communicate with this plugin).

Note: the driver itself will still require root privileges (as you've noted kubernetes-sigs/secrets-store-csi-driver#842)

@ashok-e-singh
Copy link
Author

thanks for the response @tam7t .. much appreciated.

@tam7t
Copy link
Contributor

tam7t commented Jan 20, 2022
edited
Loading

Seems like non-root does not work currently due to permissions on the host filesystem:

{"ts":1642699764506.667,"caller":"secrets-store-csi-driver-provider-gcp/main.go:182","msg":"unable to listen to unix socket","v":0,"path":"/etc/kubernetes/secrets-store-csi-providers/gcp.sock","err":"listen unix /etc/kubernetes/secrets-store-csi-providers/gcp.sock: bind: permission denied"}

Ii think we need to open up permissions on the secrets-store-csi-providers dir to be world writeable:

$ ls -la /etc/kubernetes/
total 0
drwxr-xr-x 4 root root  80 Dec 21 16:45 .
drwxr-xr-x 1 root root 620 Jan 20 17:34 ..
drwxr-xr-x 2 root root  60 Dec 21 16:45 manifests
drwxr-xr-x 2 root root  40 Jan 20 17:28 secrets-store-csi-providers

This allows the pod to start

$ sudo chmod o+rwx /etc/kubernetes/secrets-store-csi-providers
$ ls -la /etc/kubernetes/secrets-store-csi-providers/
total 0
drwxr-xrwx 2 root  root  60 Jan 20 17:40 .
drwxr-xr-x 4 root  root  80 Dec 21 16:45 ..
srwxr-xr-x 1 65532 65532  0 Jan 20 17:40 gcp.sock

For comparison the /var/lib/kubelet/plugins directory is:

drwxr-x---  4 root root 4096 Dec 21 16:45 plugins

I'm not sure if its better to keep the plugins as root or to open up the plugin socket directory to world-writable...

@ashok-e-singh
Copy link
Author

Hi @tam7t .. Thanks for the feedback and your thoughts.

@aramase aramase mentioned this issue May 16, 2022
Closed
@tam7t
Copy link
Contributor

tam7t commented May 19, 2022
edited
Loading

Some additional details on upstream:

The csi-secrets-store DaemonSet needs privileged: true because it creates tmpfs filesystems and mounts them into other pod's filesystems.

CAP_SYS_ADMIN is needed for the mount/unmount syscalls and Bidirectional mount propagation is available only to privileged containers.

Also relevant is kubernetes-sigs/secrets-store-csi-driver#858

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tam7t @ashok-e-singh