-
-
Notifications
You must be signed in to change notification settings - Fork 92
[question] Run privileged necessary? #913
Comments
@chrisns I think you made that file |
Hey |
@rolfw btw mind that this project is not maintained anymore, I suggest you to switch to zwavejs version |
Having done some research, it seems that k8s doesn't support an equivalent of Docker's Device plugins need to run as a daemon pod and they still need to run privileged, but at least this reduces attack surface since the main pod can run unprivileged and the daemon pod isn't listening on any ports (assuming it interacts with the kubelet directly). Another approach I researched was to explicitly allow access to a particular path in I found a pull request for chaosmesh where they appear to have implemented this for the same reason: Remove privileged and add some capabilities (#1109) #1126. I didn't get around to experimenting with any of this yet, but I might have some time in the next week or two to see if I can get it to work. |
Thanks for mentioning, I wasn't aware of that. Maybe a good idea to include that in the readme of this repo as well. Is that project functionally equivalent and stable? |
Functionality superior, probably more stable (subjective) |
Yes. Your summary of findings is roughly what I was expecting. It's not a unique problem really, wanting to expose a /dev device to a non-root user so should all be possible Feel free to join the slack and we can work on it together if you like |
The example Kubernetes deploment.yaml contains
allowPrivilegeEscalation: true
andprivileged: true
.This seems like a security risk, so I'm wondering if this is necessary for proper operation of the container.
If so, what is it needed for, and how can privileges be limited to the meet the minimal requirements only?
The text was updated successfully, but these errors were encountered: