Does this app run a root privilege pod?

Question

Does this app run a root privilege pod?

smartaquarius10 opened this issue 10 months ago · 10 comments

While connecting the bridge using vscode plugin it creates a new pod with AllowPrivilegeEscalation* to true.

Is this mandatory to set as true. Because in a restricted organization environment it is not possible to run a pod like this.

SMALL CORRECTION:- Referring runAsNonRoot as true not AllowPrivilegeEscalation*.

Answer 1 · 2024-02-06T13:35:48.000Z

@smartaquarius10 Thanks for this question. I think we can move this to discussions if you are willing to talk more about it, but answer to this is NO, Bridge to Kubernetes doesn't create pods with securityContext: allowPrivilegeEscalation and I looked through the places where bridge creates pod specs I don't see anywhere it is setting security context.

It creates two pods remote agent in the same name as the service/pod you are debugging (runs with image lpkremoteagent) and another pod with same name as your service/pod but with -restore at the end (runs with image lpkrestorationjob). Please let me know if you have further questions or share logs if you face issues. Thanks again.

Answer 2 · 2024-02-06T16:33:23.000Z

@hsubramanianaks Thank you so much for the prompt reply. I am extremely sorry my bad. I've mentioned AllowPrivilegeEscalation but the error was coming because of runAsNonRoot as true.

Does this flag has to be false for this plugin. In company's environment, this flag is never allowed as well. You can test it using this sample operator

Just deploy it and vscode plugin connection with kubernetes shall fail. The remote agent pod will not spin. The moment you change this to false pod will start working

Answer 3 · 2024-02-06T21:05:35.000Z

@smartaquarius10 Even this flag I don't find in bridge codebase, I believe it is something to do with the operator or your company environment. Thank you.

Answer 4 · 2024-02-06T21:29:46.000Z

@hsubramanianaks i have already shared the link to the code base and its property. Sharing it again. https://github.com/codereliant/sample-tenant-operator/blob/0b2f76cd9af6bc8e0a23cfa890716f26cc372692/config/manager/manager.yaml#L60

Answer 5 · 2024-02-06T21:31:07.000Z

@hsubramanianaks if you have some free time. Just deploy this operator and try connecting plugin. You’ll get the error. You dont have to change anything in the code to get the error.

Answer 6 · 2024-02-06T21:33:03.000Z

@hsubramanianaks The remote agent pod created by plugin throws an error to set run as non root flag false

Answer 7 · 2024-02-09T11:06:21.000Z

@hsubramanianaks any update on this please. Did u get some time to check this

Answer 8 · 2024-02-09T16:06:06.000Z

@smartaquarius10 Apologies I was occupied, I will take a look into this today. Thanks for your patience.

Answer 9 · 2024-02-14T17:55:01.000Z

@hsubramanianaks Hey np. Sure thanks.. :)

Regards,
Tanul

Answer 10 · 2024-06-25T21:56:52.000Z

Any updates on this issue? Are there any plans to make b2k run as non-root or require root access?