As a Kubernetes cluster admin, I was asked to enable the chown, dac_override and fowner Linux capabilities in the SHARED Kubernetes cluster for some special Pods.
But I found it is horrible to open these capabilities in Container: https://www.redhat.com/en/blog/secure-your-containers-one-weird-trick
I would like to know if the Pods can ONLY use these capabilities on the files/folders in the Pod? Or they can also use them on the host files/folders to hack something?
I also open the RunAsRoot permission but disable the Privileged permission.
So I would like to know if there is any security issue to enable these capabilities in Kube cluster?
Or is there any way to JUST allow some special Pods to have these capabilities?
Thanks a lot!
As long as you trust k8s controllers (Deployment, StatefulSet, DaemonSet) of these pods - you're fine with additional filesystem-related capabilities. By default, pods cannot write to host filesystem. And You shouldn't have hostPath volumes in controllers of your special pods to eliminate host filesystem write from inside these pods.