Make nova pod run unprivileged
Summary
Currently there are 3 containers in the nova pod running with privileged: true
and uid 0. From a security perspective this is not an optimal solution.
Use cases
- For the sake of smooth security audits, the number of privileged pods should be reduced to the necessary minimum.
Proposal
Remove the securityContext
for all containers in the nova pod and find other solutions to run containers without root privilege.
Also remove hostPath /dev
and replace it by device plugins.
If a pod has to run in privileged mode, the technical reason MUST be documented.
To be discussed.
Specification
A pod MUST NOT run in privileged mode, unless the technical reason is documented.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this issue are to be interpreted in the spirit of RFC 2119, even though we're not technically doing protocol design.