During a custom K8s flexvolume development, I observed that containers are able to view complete block devices list present on the K8s minion (host) where it is running over. Basically "lsblk" command output on host os is also visible if executed "lsblk" over the containers. Also if container c1 has a flexvolume v1 assigned and c2 has v2; and both c1, c2 runs over same K8s host then c1 os can see v1, v2 both in "lsblk" output. Where c1 has only access to v1 and not v2 which is as expected but for certain security aspects, we do not want c1 os to view any block devices being accessed by c2 or specifically by K8s host. K8s is using docker as containerization service.
Please can anyone guide here to achieve expected configuration. Is K8s Namespace way to go? if yes, can you provide any example? Thanks in advance.
Additionally, a PV that is already bound to one PVC cannot be bound to another, regardless of namespace. This means that even if a user attempts to craft a PVC which claims an existing PV from a different namespace, it will fail. When using Trident, the PV and PVC are destroyed at the same time by default. This behavior can be changed so that PVs are retained, but a PV that was bound to a PVC once and then unbound can never be bound again.
https://netapp.io/2018/06/15/highly-secure-kubernetes-persistent-volumes/
use pod security polcieis to restrict pods not to access host paths and only access some specific volume types and pvs
https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
AllowedHostPaths - See Volumes and file systems.
Volumes and file systems
Volumes - Provides a whitelist of allowed volume types. The allowable values correspond to the volume sources that are defined when creating a volume. For the complete list of volume types, see Types of Volumes. Additionally, * may be used to allow all volume types.
The recommended minimum set of allowed volumes for new PSPs are:
configMap
downwardAPI
emptyDir
persistentVolumeClaim
secret
projected