- #Docker beta for mac kubernetes installation package upgrade#
- #Docker beta for mac kubernetes installation package full#
Setting a policy like this is highly encouraged given the overall risks of running as UID 0 inside a container.Īnother potential mitigation is to ensure all your container images are vetted and trusted. This can be set within the container image, or via your pod specification:ĪpiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: non-root spec: privileged: false allowPrivilegeEscalation: false runAsUser: # Require the container to run without root privileges.
#Docker beta for mac kubernetes installation package upgrade#
What Should I Do?Īs with all security issues, the two main options are to mitigate the vulnerability or upgrade your version of runc to one that includes the fix.Īs the exploit requires UID 0 within the container, a direct mitigation is to ensure all your containers are running as a non-0 user.
The most common source of risk is attacker-controller container images, such as unvetted images from public repositories. RedHat Enterprise Linux and CentOS both include appropriate SELinux permissions with their packages and so are believed to be unaffected if SELinux is enabled. It can also be prevented by SELinux, if an appropriate policy has been applied. If the process inside the container is either trusted (something you know is not hostile) or is not running as UID 0, then the vulnerability does not apply. This then allows them unlimited access to the server as well as any other containers on that server.
#Docker beta for mac kubernetes installation package full#
While full details are still embargoed to give people time to patch, the rough version is that when running a process as root (UID 0) inside a container, that process can exploit a bug in runc to gain root privileges on the host running the container. Kubernetes in turn sits on top of those tools, and so while no part of Kubernetes itself is vulnerable, most Kubernetes installations are using runc under the hood.
Other tools like Docker, Containerd, and CRI-O sit on top of runc to deal with things like data formatting and serialization, but runc is at the heart of all of these systems. Very briefly, runc is the low-level tool which does the heavy lifting of spawning a Linux container. We wanted to provide some guidance to Kubernetes users to ensure everyone is safe and secure. This morning a container escape vulnerability in runc was announced.
0 kommentar(er)
