Comments (9)
@mateiidavid I did some research on the reason why setting runAsGroup
is recommended by many security departments. The sources I found targeting the issue of potentially unset runAsGroup
settings seem plausible and explain why this setting makes it even more unlikely for the container and the host system to be compromised. A good reference I found is this. The author explains why it can lower the potential threats to the system if runAsUser
, runAsGroup
and fsGroup
are set. Of course, a user can currently set these on the pod level but defining it on the container level allows for more controllability and at least lowers the risk for the linkerd sidecar container to be compromised which would be a considerable security gain already.
I would be happy to hear back from you, get a review of my PRs and merge the changes. Thanks!
from linkerd2.
@nico151999 @yzapf sorry for the delay on this. I replied to the proxy-init PR. We're happy to push this forward, and the PR looks good. Once we can pass CI and get it on the latest main, we're ok to merge the patch.
from linkerd2.
@nico151999 This sounds like a good thing to have, you interested in putting together a PR? 🙂
from linkerd2.
@kflynn Thanks for the reply. Good to hear you would be open for a PR. Yes, I am interested. I will consider it in an upcoming sprint.
from linkerd2.
@nico151999 Great! Looking forward to seeing it. 🙂
from linkerd2.
@kflynn Could you have a look at this PR so that a new proxy-init release can be made for my draft PR to have a new image tag that can be referenced? Thanks!
from linkerd2.
@nico151999 thanks for working on the change. I've had a look at both PRs. Everything looks good at a high level, but it's a little bit hard for me to navigate the changes without having a bit more context into why the changes are necessary to begin with. This is the kind of thing that looks very straightforward to implement but might have some unintended side effects.
Would you mind elaborating on what your concrete use cases are in using runAsGroup
and how you intend to use it? Why doesn't runAsUser
suffice to restrict permissions?
from linkerd2.
Thanks for taking a look @mateiidavid. From a technical perspective there is no specific case that comes to my mind when I would need a runAsGroup setting. From a security perspective there are some companies requiring you to set both runAsUser and runAsGroup in your manifest. For example, if you operate on a K8s cluster like this and an OPA gatekeeper enforces both attributes to be set you cannot deploy Linkerd on these clusters. Also, I would claim Linkerd to be more complete if not only runAsUser but both would we configurable. When it comes to reviewing the PRs most of the files are only extended by the respective group ID attribute. There is not much logic in it. I cannot promise there to be no side effects but my adaptions to proxy-init have worked well so far on my dev cluster and it still seemed to do its job without any issues.
from linkerd2.
Hi guys, I had a talk to one of your colleagues at KubeCon in Paris about this topic (I'm sorry I forgot his name, but it was a nice talk). Can you give us a current status if we can expect this feature soon or do you have any concerns about the implementation where we can assist?
from linkerd2.
Related Issues (20)
- Linkerd destination policy container stalls after connection timeout with API server HOT 1
- Linkerd service profiles doesn't show any data in Linkerd route dashboards in grafana. HOT 2
- Linkerd does not inject proxy containers with custom CNI on AWS HOT 9
- After node restart linkerd-cni pod hast to be restarted sometimes HOT 3
- Default Server policy on linkerd-jaeger prohibits jaeger-ui access HOT 1
- Headless endpoint mirrors are incorrectly cleaned up as part of GC
- timestamp is in weird format HOT 2
- BadSignature error when using ec with key_bits 512 (works with 256) HOT 1
- CPU Spikes when upgrading to 2.4.10 from 2.4.0 HOT 3
- Linkerd CNI pods not aware about the OIDC signing key auto-rotation by AKS|
- PodMonitor linkerd-proxy - Creates duplicate timestamp metric labels
- `linkerd-destination` OOMKilled due to discovery spike in linkerd P2P multicluster, renders cluster inoperable HOT 5
- HTTPRoute intermittently fails to distribute traffic HOT 4
- Intermittent routing failures with HTTPRoute HOT 5
- Linkerd-proxy logging full header contents of incoming http requests for log level debug and trace. HOT 2
- Allow port ranges in dynamic authorization policy resources
- Prometheus metrics scrapes of `linkerd-proxy` are not TLS protected (occassionally) HOT 6
- Change default `cr.l5d.io` to `ghcr.io`? HOT 1
- Linkerd Multi-Cluster service-mirroring to give option to mirror EndpointSlices as well
- Helm upgrade always changing due to trust root?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from linkerd2.