-
Notifications
You must be signed in to change notification settings - Fork 355
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
deployment vcluster KO in Kubernetes with noexec for emptyDir #1717
Comments
I could ask the kubernetes admin if they can change the behavior of emptyDir, so that the partition are not noexec. It might be difficult for them to lower the security. Moreover, the kubernetes issue kubernetes/kubernetes#48912 might make this a future issue for vcluster anyway. What if vcluster image directly contains the two binaries? I don't know about licence but that would prevent this trick and we could then have noexec in the image and in emptyDir. |
@antoinetran Hi, thanks for opening this. to answer your question |
What happened?
In an environment where any emptyDir is mounted to a partition in host, with noexec, vcluster create will give:
After editing the pod for debug with strace:
If copied to /tmp, vcluster works.
Mount command gives:
Which shows noexec for /binaries (but not for /tmp though).
What did you expect to happen?
vcluster create is OK
How can we reproduce it (as minimally and precisely as possible)?
Deploy a kubernetes cluster and configures it to bind any emptyDir to a partition with noexec. Then deploy vcluster.
Anything else we need to know?
Currently, it seems this behavior is particular to the Kubernetes environment I am deploying it into. Generally speaking, it seems the emptyDir are not mounted as noexec. However seeing kubernetes/kubernetes#48912 , it seems we are going in the direction of more security with emptyDir mounted as noexec (by default or with options).
From my understanding of the code (see https://github.com/loft-sh/vcluster/blob/v0.20.0-beta.1/chart/templates/_init-containers.tpl), the initContainers are here to inject vcluster, only to do a cp command (because the cp is not present in the kubernetes images), to get kube-controller-manager and kube-apiserver binaries into vcluster image. This needs emptyDir mounted as exec.
Host cluster Kubernetes version
Host cluster Kubernetes distribution
kubespray
vlcuster version
Vcluster Kubernetes distribution(k3s(default)), k8s, k0s)
OS and Arch
The text was updated successfully, but these errors were encountered: