You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
docs: add a chapter about security considerations.
Add a chapeter a about security considerations and provide
a few pointers to related documentation.
Signed-off-by: Krisztian Litkey <[email protected]>
Copy file name to clipboardExpand all lines: README.md
+42Lines changed: 42 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -312,6 +312,48 @@ The following sample plugins exist for NRI:
312
312
Please see the documentation of these plugins for further details
313
313
about what and how each of these plugins can be used for.
314
314
315
+
## Security Considerations
316
+
317
+
From a security perspective NRI plugins should be considered part of the
318
+
container runtime. NRI does not implement granular access control to the
319
+
functionality it offers. Access to NRI is controlled by restricting access
320
+
to the systemwide NRI socket. If a process can connect to the NRI socket
321
+
and send data, it has access to the full scope of functionality available
322
+
via NRI.
323
+
324
+
In particular this includes
325
+
326
+
- injection of OCI hooks, which allow for arbitrary execution of processes with the same privilege level as the container runtime
327
+
- arbitrary changes to mounts, including new bind-mounts, changes to the proc, sys, mqueue, shm, and tmpfs mounts
328
+
- the addition or removal of arbitrary devices
329
+
- arbitrary changes to the limits for memory, CPU, block I/O, and RDT resources available, including the ability to deny service by setting limits very low
330
+
331
+
The same precautions and principles apply to protecting the NRI socket as
332
+
to protecting the socket of the runtime itself. Unless it already exists,
333
+
NRI itself creates the directory to hold its socket with permissions that
334
+
allow access only for the user ID of the runtime process. By default this
335
+
limits NRI access to processes running as root (UID 0). Changing the default
336
+
socket permissions is strongly advised against. Enabling more permissive
337
+
access control to NRI should never be done without fully understanding the
338
+
full implications and potential consequences to container security.
339
+
340
+
### Plugins as Kubernetes DaemonSets
341
+
342
+
When the runtime manages pods and containers in a Kubernetes cluster, it
343
+
is convenient to deploy and manage NRI plugins using Kubernetes DaemonSets.
344
+
Among other things, this requires bind-mounting the NRI socket into the
345
+
filesystem of a privileged container running the plugin. Similar precautions
346
+
apply and the same care should be taken for protecting the NRI socket and
347
+
NRI plugins as for the kubelet DeviceManager socket and Kubernetes Device
348
+
Plugins.
349
+
350
+
The cluster configuration should make sure that unauthorized users cannot
351
+
bind-mount host directories and create privileged containers which gain
352
+
access to these sockets and can act as NRI or Device Plugins. See the
and [best practices](https://kubernetes.io/docs/setup/best-practices/enforcing-pod-security-standards/)
355
+
about Kubernetes security.
356
+
315
357
## Project details
316
358
317
359
nri is a containerd sub-project, licensed under the [Apache 2.0 license](./LICENSE).
0 commit comments