Is there any risk for co pods if we allow root user privilage for process in one pod?

11/1/2019

I am using docker for containers in kubernetes.

I read docker container isolates the user space but shares the kernal space. If this is true i got following doubts

1) Can a process in pod get access to kernal space and affect other pods? If yes how it is possible and how can we solve this?

2) Is there any risk in allowing the process inside pod with root access?

--
containers
docker
kubernetes
linux

1 Answer

11/1/2019

Yes, there are vulnerabilities which may lead to hackers getting into even your kubernetes nodes. However there are security barriers that protect you before one can even reach a pod. Those are: your cloud providers' credentials to access your k8s pool and firewall-rules. If you are careful setting those, it would be very difficult for someone to get in.

Regarding security in kubernetes itself, check this document, it tells you how to protect the kernel space. In addition, you can define security contexts for the users in your pods.

-- Rodrigo Loza
Source: StackOverflow