Skip to content

Commit 5145a6a

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #45152 from haircommander/proc-mount-beta-1.30
ProcMount 1.30 update
2 parents 00d5266 + c3e2106 commit 5145a6a

File tree

1 file changed

+56
-0
lines changed

1 file changed

+56
-0
lines changed

content/en/docs/tasks/configure-pod-container/security-context.md

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -477,6 +477,58 @@ runtime recursively changes the SELinux label for all inodes (files and directo
477477
in the volume.
478478
The more files and directories in the volume, the longer that relabelling takes.
479479

480+
## Managing access to the `/proc` filesystem {#proc-access}
481+
482+
{{< feature-state feature_gate_name="ProcMountType" >}}
483+
484+
For runtimes that follow the OCI runtime specification, containers default to running in a mode where
485+
there are multiple paths that are both masked and read-only.
486+
The result of this is the container has these paths present inside the container's mount namespace, and they can function similarly to if
487+
the container was an isolated host, but the container process cannot write to
488+
them. The list of masked and read-only paths are as follows:
489+
490+
- Masked Paths:
491+
- `/proc/asound`
492+
- `/proc/acpi`
493+
- `/proc/kcore`
494+
- `/proc/keys`
495+
- `/proc/latency_stats`
496+
- `/proc/timer_list`
497+
- `/proc/timer_stats`
498+
- `/proc/sched_debug`
499+
- `/proc/scsi`
500+
- `/sys/firmware`
501+
502+
- Read-Only Paths:
503+
- `/proc/bus`
504+
- `/proc/fs`
505+
- `/proc/irq`
506+
- `/proc/sys`
507+
- `/proc/sysrq-trigger`
508+
509+
510+
For some Pods, you might want to bypass that default masking of paths.
511+
The most common context for wanting this is if you are trying to run containers within
512+
a Kubernetes container (within a pod).
513+
514+
The `securityContext` field `procMount` allows a user to request a container's `/proc`
515+
be `Unmasked`, or be mounted as read-write by the container process. This also
516+
applies to `/sys/firmware` which is not in `/proc`.
517+
518+
```yaml
519+
...
520+
securityContext:
521+
procMount: Unmasked
522+
```
523+
524+
{{< note >}}
525+
Setting `procMount` to Unmasked requires the `spec.hostUsers` value in the pod
526+
spec to be `false`. In other words: a container that wishes to have an Unmasked
527+
`/proc` or unmasked `/sys` must also be in a
528+
[user namespace](/docs/concepts/workloads/pods/user-namespaces/).
529+
Kubernetes v1.12 to v1.29 did not enforce that requirement.
530+
{{< /note >}}
531+
480532
## Discussion
481533

482534
The security context for a Pod applies to the Pod's Containers and also to
@@ -523,3 +575,7 @@ kubectl delete pod security-context-demo-4
523575
* For more information about security mechanisms in Linux, see
524576
[Overview of Linux Kernel Security Features](https://www.linux.com/learn/overview-linux-kernel-security-features)
525577
(Note: Some information is out of date)
578+
* Read about [User Namespaces](/docs/concepts/workloads/pods/user-namespaces.md)
579+
for Linux pods.
580+
* [Masked Paths in the OCI Runtime
581+
Specification](https://github.com/opencontainers/runtime-spec/blob/f66aad47309/config-linux.md#masked-paths)

0 commit comments

Comments
 (0)