Why `Prevent containers from accessing host files by using high UIDs` request uid > 10 000
Socolin opened this issue · comments
Hello,
About this rule: https://hub.datree.io/built-in-rules/prevent-uid-conflicts
Why is it requiring > 10 000 and not 1 000 ? on unix the UID for the user account start at 1 000 by default https://linux.die.net/man/8/adduser
Values between 0 and 999 are typically reserved for system accounts.
The value 1 000 is also used in examples here
https://github.com/datreeio/datree/blob/0182bab534acec48ce7f14a256e60f4b17c05aa6/examples/security-best-practices/pass.yaml
It feels strange to enforce a value that large.
Hi @Socolin, this is considered a best-practice by many security-focused entities. The aim is to provide a buffer in order to avoid conflicts with the host's user table, and this is agreed-upon as a reasonable buffer.
The security perspective is that even with other UIDs, we risk impersonating another user on the host system if the container is compromised. To drastically reduce the probability, configured users should only start from UID 10,000.
Some references:
Thanks for the explanation.
I would have expect this to be handle by namespace, from what I see there is a user namespace in k8s now
https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces
Yes, looks like user namespaces will mitigate this security risk, but this feature is only available in v1.25, so this rule is relevant to all earlier versions 👍
Is there a way to specify the version used to datree to ignore this warning ?
you can just turn off (disable) this rule and this way it will not run:
https://hub.datree.io/dashboard/policies#customizing-a-policy
Is there any way to disable this with a file, in like ~/.config/datree/ or something like that to avoid adding annotation on every resources ? I'm using datree without an account (and I would like to avoid having a new secret to manage in the pipeline) so I don't have acces to this UI
Hi @Socolin
You can skip a certain rule by adding the cli skip annotation. Here's a link to the docs: https://hub.datree.io/configuration/behavior#skip-specific-rules-for-a-single-object
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.