K
Q

Security concern using EFS file system with EKS in a multi tenant Kubernetes cluster

7/21/2020

We are currently building a multi-tenant cluster in EKS. For our persistent storage, we are using the Amazon EFS CSI driver https://docs.aws.amazon.com/eks/latest/userguide/efs-csi.html.

We are trying to use a single EFS with a different folder for each PV.

The issue we are facing is the security group needs to be applied at the node group level, so right now any pod with high enough privilege can just mount the EFS drive and delete anything on it.

Is there any way to resolve this security issue?

-- Shingo501
amazon-efs
amazon-eks
amazon-web-services
kubernetes

Similar Questions

Hikari throws an error Property url does not exist on target class org.postgresql.ds.PGPoolingDataSource
Traefik Ingress Controller for Kubernetes (AWS EKS)
how kubernetes deal with file write locker accross multi pods when hostpath Volumes concerned
Is it safe to run kubernetes with public ip?
Managing Kubernetes cluster from GCP with python api

1 Answer

7/21/2020

AFAIK, the only way is to make use UNIX style permissions in your EFS drive. Basically, you can create these permissions ahead of time for the subdirectories, based on a UNIX UID/GID, and then you can force your pods to start a certain UID/GID (and fsGroup) using a SecurityContext.

Additionally, you can also make use of MutatingAdminssionWebhooks so that your pods always get a securityContext automatically added based on say the namespace that they run on.

-- Rico
Source: StackOverflow