Replies: 1 comment 3 replies
-
|
You can use kubernetes to run a container without root as long as the container has CAP_SETUID and CAP_SETGID |
Beta Was this translation helpful? Give feedback.
-
|
Yes, but what about SELinux? |
Beta Was this translation helpful? Give feedback.
-
|
The article doesn't mention SELinux for rootless privileged. Does it work with default policies? The article only mentions SELinux for unprivileged. And I assume that's because the default policies are too restrictive? Can they be modified, or must SELinux be disabled? |
Beta Was this translation helpful? Give feedback.
-
|
SELinux is enforced the same was in rootless and rootful mode. Key issue is that the root process in the container is root on the host. Running with rootful plus --userns=auto, solves this somewhat. |
Beta Was this translation helpful? Give feedback.
-
I've spent hours trying to search for any information on this.
I would like to build in Kubernetes, and would like to run with least-privileges.
I understand that it's possible using uid=1000 and privileged.
But is it possible to further restrict filesystem access using SELinux? I've seen several guides that suggest to exclude SELinux
container-selinux. But I'm assuming that the default policies are too restrictive.If SELinux is supported, what would be the minimal policies?
For example, I would like to prevent all read access to non-essential libraries, e.g. deny /etc, /opt, /var, and so on.
Beta Was this translation helpful? Give feedback.
All reactions