From fce75f8562e4214e10618dd6ad9ff4ee16ec6c89 Mon Sep 17 00:00:00 2001 From: Zac Mrowicki Date: Fri, 1 Oct 2021 15:26:15 +0000 Subject: [PATCH] docs: Mention static pods in the security guidance around api access We recommend against providing access to the API socket from containers because of the effects it can have on system configuration and security. This change specifically calls out the ability to define static pods as an action that could be taken with API access, and the effects of doing so. --- SECURITY_GUIDANCE.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/SECURITY_GUIDANCE.md b/SECURITY_GUIDANCE.md index b68b7df3851..2367d891219 100644 --- a/SECURITY_GUIDANCE.md +++ b/SECURITY_GUIDANCE.md @@ -71,6 +71,8 @@ It is labeled `api_socket_t`, so only processes with privileged SELinux labels c Write access to this socket will grant full control over system configuration. This includes the ability to define an arbitrary source for a host container, and to run that container with "superpowers" that bypass other restrictions. These "superpowers" are described [below](#limit-use-of-host-containers). +For Kubernetes variants, it also includes the ability to define and run static pods. +These are managed directly by `kubelet` and are not subject to admission controllers that enforce security policies for the cluster. We recommend blocking access to the API socket from containers managed by the orchestrator. The "control" host container can be used to modify settings when needed.