You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
CSI driver containers need to run as HostProcess pods for the CSI Proxy commands to complete privileged operations.
61
+
CSI driver containers need to run as HostProcess containers (HPC) for the CSI Proxy commands to complete privileged operations.
57
62
This can be done by updating the driver pod spec, typically embedded in a Daemonset.
58
-
The Kubernetes Windows HostProcess Pod[docs](https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/) goes into more detail about each field.
63
+
The Kubernetes Windows HPC[docs](https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/) goes into more detail about each field.
59
64
60
65
```yaml
61
66
spec:
62
67
securityContext:
63
68
hostNetwork: true
64
69
windowsOptions:
65
70
hostProcess: true
71
+
# you might want to use a different user name
72
+
# to limit the privileges of the containers
73
+
# see the `Security` section
66
74
runAsUserName: "NT AUTHORITY\\SYSTEM"
67
75
```
68
76
69
-
Using HostProcess pods have a few important consequences on the deployed containers, as noted in the HostProcess docs.
70
-
- HostProcess containers have no file system or resource isolation, so they have a complete view of the host machine’s file system.
77
+
Using HPCs have a few important consequences on the deployed containers, as noted in the docs linked above.
78
+
- HPCs have no file system or resource isolation, so they have a complete view of the host machine’s file system.
71
79
This means that paths passed in **paths passed as command line arguments must be absolute paths with respect to the host**.
72
80
On the other hand, depending on the containerd and the Windows OS version, Kubernetes volume mounts are either mounted relative to a subdirectory of the host machine specified by an environment variable `%CONTAINER_SANDBOX_MOUNT_POINT%` or **mounted relative to the host process root**. See [HostProcess Caveats](#hostprocess-caveats).
73
-
- HostProcess pods can only contain HostProcess containers.
81
+
- HPC is enabled at the pod level, and a HostProcess pod can only contain HostProcess containers.
74
82
Often, the CSI node registrar is deployed in the same pod as the driver, so file paths for both containers need to be updated.
75
83
- Named pipes and Unix domain sockets are not supported and should be accessed via their absolute path with respect to the host.
84
+
- The privileged nature of HPCs means that additional security policies must be put in place to reduce attack surface.
85
+
See [Security](#security)
76
86
77
87
Instead of mounting host process paths such as `c:\var\lib\kubelet` to each container’s own filesystem, the container can directly access these paths.
78
88
@@ -135,3 +145,28 @@ HostProcess containers require containerd v1.6 to work, but new Windows OS APIs
135
145
Practically, the difference is that HostProcess containers running on nodes with containerd v1.6 see the whole host file system, whereas HostProcess containers running on nodes with containerd v1.7 are presented with a merged view of the host OS’s file system and container-local volumes. Containerd v1.6 mounts the container files at `c:\C\{container-id}`, whereas containerd v1.7 mounts the container files at `c:\hpc`, where changes inside that path are only visible to the container. In both versions, the mount path is exposed as an environment variable `%CONTAINER_SANDBOX_MOUNT_POINT%`, which is also set as the default working directory of the containers.
136
146
137
147
Another key difference is that volume mounts in containerd v1.6 are relative to the container mount path (i.e., `%CONTAINER_SANDBOX_MOUNT_POINT%`), whereas volume mounts in containerd v1.7 are relative to the root of the host file system. Drivers that rely on mounting volumes to containers are likely going to be broken by containerd version changes. Therefore, it’s recommended to migrate drivers deployment specs to not use any volume mounts and instead rely on absolute host file system paths. This should ensure that the driver will work with both containerd v1.6 and v1.7.
148
+
149
+
### Version Skew
150
+
151
+
An important consideration for using CSI Proxy v2 is that support for HPCs is only enabled by default starting in Kubernetes 1.23.
152
+
153
+
Kubernetes [version skew policy](https://kubernetes.io/releases/version-skew-policy/) supports up to 2 minor versions of discrepancy between the control plane and worker nodes.
154
+
This means that drivers using CSI Proxy v2 cannot be safely deployed until the control plane is running in 1.25+, as worker nodes are guaranteed to run in 1.23+.
155
+
If worker nodes are running in 1.22 or earlier, they would not be able to recognize the HPC-related fields in the driver deployment spec issued by the control plane.
156
+
157
+
### Security
158
+
159
+
HPCs provide privileged access to the host machine.
160
+
This means that security measures should to be put in place to follow the principle of least privilege.
161
+
We identify a few ways to enable HPCs but minimize the attack surface.
162
+
163
+
- Administer admission webhooks to limit access to the HPC feature.
164
+
One could only enable the feature on the `kube-system` namespace, for example, and enforce access control to the system namespace.
165
+
- Create a Windows user group with the least amount of privilege necessary to support the CSI Proxy storage operations.
166
+
The HPC spec can be configured to create a temporary user created in that user group for each run by setting `runAsUserName` to the name of the group.
0 commit comments