Skip to content

Commit f37345e

Browse files
pohlypohly
committed
dynamic resource allocation: add "compromised resource driver plugin"
This discusses the effect of attacking the resource driver in addition or instead of kubelet.
1 parent 278cd5c commit f37345e

File tree

1 file changed

+26
-0
lines changed
  • keps/sig-node/3063-dynamic-resource-allocation

1 file changed

+26
-0
lines changed

keps/sig-node/3063-dynamic-resource-allocation/README.md

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -84,6 +84,7 @@ SIG Architecture for cross-cutting KEPs).
8484
- [Risks and Mitigations](#risks-and-mitigations)
8585
- [Feature not used](#feature-not-used)
8686
- [Compromised node](#compromised-node)
87+
- [Compromised resource driver plugin](#compromised-resource-driver-plugin)
8788
- [User permissions and quotas](#user-permissions-and-quotas)
8889
- [Usability](#usability)
8990
- [Design Details](#design-details)
@@ -576,6 +577,31 @@ driver vendor. Solutions like Akri which establish their own control plane and
576577
then communicate with Kubernetes through the device plugin API already need to
577578
address this.
578579

580+
#### Compromised resource driver plugin
581+
582+
This is the result of an attack against the resource driver, either from a
583+
container which uses a resource exposed by the driver, a compromised kubelet
584+
which interacts with the plugin, or through a successful attack against the
585+
node which led to root access.
586+
587+
The resource driver plugin only needs read access to objects described in this
588+
KEP, so compromising it does not interfere with dynamic resource allocation for
589+
other drivers. It may need write access for [CRDs that communicate or
590+
coordinate resource
591+
availability](#implementing-a-plugin-for-node-resources). This could be used to
592+
attack scheduling involving the driver as outlined in the previous section.
593+
594+
A resource driver may need root access on the node to manage
595+
hardware. Attacking the driver therefore may lead to root privilege
596+
escalation. Ideally, driver authors should try to avoid depending on root
597+
permissions and instead use capabilities or special permissions for the kernel
598+
APIs that they depend on.
599+
600+
A resource driver may also need privileged access to remote services to manage
601+
network-attached devices. Resource driver vendors and cluster administrators
602+
have to consider what the effect of a compromise could be for that and how such
603+
privileges could get revoked.
604+
579605
#### User permissions and quotas
580606

581607
Similar to generic ephemeral inline volumes, the [ephemeral resource use

0 commit comments

Comments
 (0)