Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CAP_DAC_OVERRIDE capability needed on Kube 1.26.04 with Ubuntu 23.04 substrate #7

Open
galmasi opened this issue Aug 23, 2023 · 0 comments
Open

CAP_DAC_OVERRIDE capability needed on Kube 1.26.04 with Ubuntu 23.04 substrate #7

galmasi opened this issue Aug 23, 2023 · 0 comments

Comments

@galmasi
Copy link

galmasi commented Aug 23, 2023

I find that the example specified in your README does not work on my particular version of kubernetes.

How to produce the problem

  • install Kubernetes 1.26.04 on an Ubuntu 23.04 (lunar) substrate
  • use the standard kubeadm based deployment running on top of docker.io
  • deploy the helm chart for k8s-tpm-device-plugin as usual
  • create the example pod (zero capabilities etc) with a pre-installed version of tpm2-tools
  • confirm that the pod has zero capabilities assigned (capsh --print or check /proc/1/status inside the container)
root@tpm-device-test:/# cat /proc/1/status | grep CapPrm
CapPrm: 0000000000000000
  • run tpm2_pcrread or some other tpm2 tool and confirm that it fails with an "access denied" error:
root@tpm-device-test:/# tpm2_pcrread
ERROR:tcti:src/tss2-tcti/tcti-device.c:452:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: Permission denied 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:452:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: No such file or directory 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
WARNING:tcti:src/util/io.c:262:socket_connect() Failed to connect to host ::1, port 2321: errno 99: Cannot assign requested address 
ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:614:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 
WARNING:tcti:src/util/io.c:262:socket_connect() Failed to connect to host ::1, port 2321: errno 99: Cannot assign requested address 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:254:tctildr_get_default() No standard TCTI could be loaded 
ERROR:tcti:src/tss2-tcti/tctildr.c:428:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI 
ERROR: Could not load tcti, got: "(null)"

Proposed fix

  • Add one capability to the example pod.
    ...
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop: ["ALL"]
        add: ["CAP_DAC_OVERRIDE"] <--------this will allow directory access for tpm2-tools
  • Confirm that the started pod has the added capability:
root@tpm-device-test:/# cat /proc/1/status | grep CapPrm
CapPrm: 0000000000000002
  • Test that tpm2_pcrread now works correctly.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@galmasi