Prohibit Root Containers in PMK Clusters
PreviousDual Stack Support in Workload ClusterNextCan a Specific Subnet be Excluded From Calico IPPools?
Last updated
Self Service Users are able to create pods with root containers in PMK
If mounted with the critical volume mounts like / , these pods can cause a serious security threat to the host and the underlying filesystem
Platform9 Managed Kubernetes - v5.6 and Higher
Platform9 is aware of this issue and an RFE is already in place for the same issue with ID: PMK-6540
Ensure the below criteria for all the applications
Mount Only Necessary Directories: If your application needs access to specific host directories, mount only those directories rather than the entire root filesystem.
Use Read-Only Mounts: If the container only needs to read data from the host, use a read-only mount to prevent any modifications.
Run as Non-Root User: Configure the container to run as a non-root user to limit its privileges within the container and on the host.
Apply Security Policies: Use Kubernetes security policies to enforce constraints on what containers can do, including restricting the host paths they can access.
Last updated