You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
docs: Mention static pods in the security guidance around api access
We recommend against providing access to the API socket from containers
because of the effects it can have on system configuration and security.
This change specifically calls out the ability to define static pods as
an action that could be taken with API access, and the effects of doing
so.
Copy file name to clipboardexpand all lines: SECURITY_GUIDANCE.md
+2
Original file line number
Diff line number
Diff line change
@@ -71,6 +71,8 @@ It is labeled `api_socket_t`, so only processes with privileged SELinux labels c
71
71
Write access to this socket will grant full control over system configuration.
72
72
This includes the ability to define an arbitrary source for a host container, and to run that container with "superpowers" that bypass other restrictions.
73
73
These "superpowers" are described [below](#limit-use-of-host-containers).
74
+
For Kubernetes variants, it also includes the ability to define and run static pods.
75
+
These are managed directly by `kubelet` and are not subject to admission controllers that enforce security policies for the cluster.
74
76
75
77
We recommend blocking access to the API socket from containers managed by the orchestrator.
76
78
The "control" host container can be used to modify settings when needed.
0 commit comments