Skip to content
This repository has been archived by the owner on Feb 24, 2021. It is now read-only.

[question] Run privileged necessary? #913

Open
rolfw opened this issue Feb 21, 2021 · 7 comments
Open

[question] Run privileged necessary? #913

rolfw opened this issue Feb 21, 2021 · 7 comments
Assignees
Labels
question Further information is requested

Comments

@rolfw
Copy link

rolfw commented Feb 21, 2021

The example Kubernetes deploment.yaml contains allowPrivilegeEscalation: true and privileged: true.

This seems like a security risk, so I'm wondering if this is necessary for proper operation of the container.

If so, what is it needed for, and how can privileges be limited to the meet the minimal requirements only?

@rolfw rolfw added the question Further information is requested label Feb 21, 2021
@robertsLando
Copy link
Member

@chrisns I think you made that file

@chrisns
Copy link
Member

chrisns commented Feb 22, 2021

Hey
Yes, it's lazy, you can probably find a way to run as non-root and secomp what's needed to talk to the usb device. It's just not something I'd looked at yet.
It would be best practice, so a PR would be great if you want to figure it out and we can update the k8s and docker docs

@robertsLando
Copy link
Member

@rolfw btw mind that this project is not maintained anymore, I suggest you to switch to zwavejs version

@rolfw
Copy link
Author

rolfw commented Feb 23, 2021

Having done some research, it seems that k8s doesn't support an equivalent of Docker's --device flag yet: add support for host devices #5607. In issue comments the most mentioned approach is to use a Device Plugin and the only implementation I found was SMARTER Device Manager

Device plugins need to run as a daemon pod and they still need to run privileged, but at least this reduces attack surface since the main pod can run unprivileged and the daemon pod isn't listening on any ports (assuming it interacts with the kubelet directly).

Another approach I researched was to explicitly allow access to a particular path in /dev/* only, using something like SELinux, AppArmor or linux capabilities. Capabilities seem to be the most promising, since either SELinux and AppArmor needs to be installed on the node before pod-specific configuration is effective. So this would complicate deployment for users of zwave2mqtt who don't have that installed already.

I found a pull request for chaosmesh where they appear to have implemented this for the same reason: Remove privileged and add some capabilities (#1109) #1126.

I didn't get around to experimenting with any of this yet, but I might have some time in the next week or two to see if I can get it to work.

@rolfw
Copy link
Author

rolfw commented Feb 23, 2021

@rolfw btw mind that this project is not maintained anymore, I suggest you to switch to zwavejs version

Thanks for mentioning, I wasn't aware of that. Maybe a good idea to include that in the readme of this repo as well. Is that project functionally equivalent and stable?

@chrisns
Copy link
Member

chrisns commented Feb 23, 2021

@rolfw
Thanks for mentioning, I wasn't aware of that. Maybe a good idea to include that in the readme of this repo as well. Is that project functionally equivalent and stable?

Functionality superior, probably more stable (subjective)

@chrisns
Copy link
Member

chrisns commented Feb 23, 2021

I didn't get around to experimenting with any of this yet, but I might have some time in the next week or two to see if I can get it to work.

Yes. Your summary of findings is roughly what I was expecting. It's not a unique problem really, wanting to expose a /dev device to a non-root user so should all be possible

Feel free to join the slack and we can work on it together if you like

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests

3 participants