-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"/dev/termination-log must have noexec so unpriviledged user cannot exec from it" #122219
Comments
/sig Security |
@pentago: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Maybe a duplicate of #81116 |
/sig node |
To add some detail to this, I think |
also another dup: #108076 /retitle "/dev/termination-log must have noexec so unpriviledged user cannot exec from it" |
/triage accepted with the scope of just noexec I think it is reasonable |
/priority backlog |
I have a question. $ kubectl exec -it nginx -- mount
...
/dev/mapper/ubuntu--vg-ubuntu--lv on /etc/hosts type ext4 (rw,relatime)
/dev/mapper/ubuntu--vg-ubuntu--lv on /dev/termination-log type ext4 (rw,relatime)
/dev/mapper/ubuntu--vg-ubuntu--lv on /etc/hostname type ext4 (rw,relatime)
/dev/mapper/ubuntu--vg-ubuntu--lv on /etc/resolv.conf type ext4 (rw,relatime)
... |
Maybe |
I thought that, but the result was that (these access mode were rw).
apiVersion: v1
kind: Pod
metadata:
labels:
run: nginx
name: nginx
spec:
containers:
- image: nginx
name: nginx |
Just to dial back the alarm - unless someone can propose a mechanism for this, I think this is untrue. /dev/termination-log is just a writeable file, and the kubelet just reads opaque content from it and makes that available through the pod status. The contents of this file are not parsed, nor executed outside the container's security boundary. I can imagine a DoS attack scenario where we fill up the host's disk. This is similar to writing to other ephemeral-storage (eg emptyDir, or your container's writeable top layer), and the solution is the same: |
Hi @anguslees For instance, I deployed this Deployment: apiVersion: apps/v1
kind: Deployment
metadata:
name: debug
labels:
app: debug
spec:
replicas: 1
revisionHistoryLimit: 2
selector:
matchLabels:
app: debug
template:
metadata:
labels:
app: debug
spec:
terminationGracePeriodSeconds: 5
enableServiceLinks: false
imagePullSecrets:
- name: registry
containers:
- name: debug
resources:
requests:
cpu: 100m
memory: 128Mi
ephemeral-storage: 1Mi
limits:
cpu: 100m
memory: 128Mi
ephemeral-storage: 1Mi
image: docker.io/alpine:latest
command:
- /bin/sleep
- "infinity"
workingDir: /app If I run However, when I run
If I run |
Right, I agree you've found a bug - and we should include this file in the ephemeral quota calculation. I was trying to say we don't need a radically new mechanism here, and the implication is a DoS not compromise. |
What happened?
An unprivileged process/user running inside of a pod is able to write to
/dev/termination-log
file.I thought this was preventable with both pod/container
securityContext
but that didn't turn out to be the case.I didn't test it till the end but I tried redirecting the output of
/dev/urandom
from within the container to/dev/termination-log
and filled it with gibberish until it reached the size of 2GB.I suspect this is a way to compromise/crash node.
Is this an exploitable scenario and what can be done to mount the termination log in a way that doesn't allow unprivileged user/process to write arbitrary stuff to it?
What did you expect to happen?
Permissions to be denied when attempting to write
/dev/termination-log
file.How can we reproduce it (as minimally and precisely as possible)?
Exec pod container with maximally unprivileged securityContext and write
/dev/termination-log
file with:cat /dev/urandom > /dev/termination-log
Anything else we need to know?
No response
Kubernetes version
Any
Cloud provider
N/A
OS version
Any
Install tools
N/A
Container runtime (CRI) and version (if applicable)
N/A
Related plugins (CNI, CSI, ...) and versions (if applicable)
N/A
The text was updated successfully, but these errors were encountered: