Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot overwrite existing securityContext in podTemplate #344

Open
sampritipanda opened this issue Oct 14, 2021 · 6 comments
Open

Cannot overwrite existing securityContext in podTemplate #344

sampritipanda opened this issue Oct 14, 2021 · 6 comments

Comments

@sampritipanda
Copy link

For some web challenges where I don't need a nsjail, I would like to start the container without CAP_SYS_ADMIN. As a result, I modify the securityContext to remove any capabilities using the following:

spec:
  ...
  podTemplate:
    template:
      spec:
        containers:
          - name: challenge
            securityContext:
              capabilities: {}

However, this does not remove the capabilities and the container is still deployed with CAP_SYS_ADMIN. This is because of a bug in kctf-operator code here:

https://github.com/google/kctf/blob/v1/kctf-operator/pkg/controller/challenge/deployment/deployment.go#L73

	if deployment.Spec.Template.Spec.Containers[idx_challenge].SecurityContext.Capabilities == nil {
		deployment.Spec.Template.Spec.Containers[idx_challenge].SecurityContext.Capabilities = &corev1.Capabilities{};
	}

	deployment.Spec.Template.Spec.Containers[idx_challenge].SecurityContext.Capabilities.Add =
		append(deployment.Spec.Template.Spec.Containers[idx_challenge].SecurityContext.Capabilities.Add, "SYS_ADMIN")

In the existing code, regardless of what the Capabilities is set to, it adds the CAP_SYS_ADMIN capability. I understand that this is needed by nsjail, but if I manually specify some capabiltiies, then it should not be overwritten by the kctf-operator.

I'm not sure what the best solution is here, but we should definitely be given an option to not start containers with CAP_SYS_ADMIN.
@sirdarckcat
Copy link
Member

@sroettger fixed this on #301

@sirdarckcat sirdarckcat reopened this Apr 15, 2022
@sirdarckcat
Copy link
Member

sirdarckcat commented Apr 15, 2022
edited
Loading

Actually looking at this more closely, the fix we made forces cap_sys_admin on you.

@sirdarckcat
Copy link
Member

Idea: add a nsjail: false to challenge.yaml or something to tell the operator to ignore cap_sys_admim

@sroettger
Copy link
Collaborator

Idea: add a nsjail: false to challenge.yaml or something to tell the operator to ignore cap_sys_admim

that sounds good to me, but it should probably not say nsjail. Something like: "kctf_default_caps" or so?

Can you drop privileges in your CMD as a workaround?

@sirdarckcat
Copy link
Member

Yep! That sounds good. We can bikesched the name a bit. I assume kctf is kindof redundant? What about:

    extra_hardening:
     - apparmor_policy
     - no_capabilities

I dont like the ´no_capabilities´ is a negative, but wdyt of this? @sroettger

@sroettger
Copy link
Collaborator

Maybe no_default_capabilities?
no_capabilities would imply that we always run without capabilities, but I think it should control that we don't add any capabilities for kctf itself.

For example

capabilities: CAP_NET_ADMIN
extra_hardening:
 - no_capabilities

should still have net_admin at the end.

@lucidBrot lucidBrot mentioned this issue Dec 2, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sirdarckcat @sampritipanda @sroettger