Open
Description
KEP
https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/kubeadm/2568-kubeadm-non-root-control-plane
k/e issue: kubernetes/enhancements#2568
This KEP proposes that the control-plane in kubeadm be run as non-root. If containers are running as root an escape from a container may result in the escalation to root in host. CVE-2019-5736 is an example of a container escape vulnerability that can be mitigated by running containers/pods as non-root.
kubeadm feature gate is called
RootlessControlPlane
ALPHA 1.22:
- code changes:
- seccomp = runtime/default:
runtime/default Seccomp Profile in kubeadm control-plane components. kubernetes#100234 - add feature gate:
Add a feature-gate to kubeadm to enable/disable rootless control-plane. kubernetes#102158 - add utils / constants:
Add utils to add and remove users and groups to kubeadm. kubernetes#102195
kubeadm: add utilities to manage users and groups kubernetes#102463
Add user and group name constants for kubeadm rootless control-plane. kubernetes#102494
Add utils to set file/directory owners and permissions. kubernetes#102604 - (on the side) pipe dry-run option to static pod manifest utils:
Update CreateInitStaticPodManifestFiles, CreateStaticPodFiles and CreateLocalEtcdStaticPodManifestFile to take into account if the command was run as dry-run. kubernetes#102722 - run CP components as non-root:
Update kubeadm control-plane to run as non-root. kubernetes#102759 - run etcd as non-root:
Update etcd in kubeadm to run as non-root. kubernetes#102862 - fix bug in "download-certs" and permissions:
kubeadm: fix wrong check for keys/certs during "download-certs" kubernetes#103313 - Fix incorrect user and group for kube-scheduler when it is running as non-root. kubernetes#103380
- Remove users and groups created as part of rootless control-plane in kubeadm. kubernetes#101988
- seccomp = runtime/default:
- e2e tests
Add e2e tests for rootless control-plane. #2511
Add e2e tests for rootless control-plane in kubeadm. test-infra#22676
kinder: use the "auto" mode for the "rootless" workflow #2520
Use pgrep -f to do a full match and use regular expression to make su… #2521
kinder: include upgrade artifacts in rootless workflow #2522
on hold until further notice. we are waiting the user namespaces KEP to go GA:
BETA x.yy:
- update KEP to tag Beta
- start tracking the KEP in release spreadsheets (task for kubeadm leads)
- make code changes in kubeadm (enable FG by default, test if upgrades work as is?)
- update docs pages:
- https://kubernetes.io/docs/reference/setup-tools/kubeadm/implementation-details/ would need to include some details on how the feature works under the hood - e.g. the user/group add/remove magic.
- https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-init should include a section about the new feature gate. and how to turn it off. we need to remove the section when the FG is GA.
- update e2e tests?
https://github.com/kubernetes/kubeadm/blob/main/kinder/ci/tools/update-workflows/templates/workflows/rootless-tasks.yaml
we need to ensure that we have test coverage for upgrading from "FG off" -> "FG on" by default and then checking if CP is rootless.