We're using GKE with our Kubernetes cluster. One of the apps we're running is Jenkins for CI. Unfortunately, Jenkins slaves need to use Docker to mount their host's docker.sock. This is, potentially, an escalation exploit.
The solution is to set up your Admission Controller in the API server to use DenyEscalatingExec. But I can't, for the life of me, figure out how to get at that setting through GKE. It could even be set by default, but I can't figure out how to even get at the default settings hidden behind GKE.
Is there a way to set this (and other controllers) through GKE, or otherwise check the defaults to see if it's set?
Unfortunately you can't change the enabled admission controllers on GKE. Alpha clusters support external admission webhooks but that would involve an amount of custom work.
An alternative option would be to use PodSecurityPolicy to only allow privileged Pods to run in a few tightly controller namespaces. For example, you could create a jenkins namespace and only allow privileged Pods to be created in the jenkins and kube-system namespaces and then prevent all users but cluster admins from execing into Pods in those namespaces.
Looks like you want to run your Jenkins CI in a privileged mode. But if you just want to call Docker from inside a Jenkins, you don't need to use Privileged mode, you can just mount a Docker socket from the node to a Jenkins container.
spec:
volumes:
- name: docker-socket
hostPath:
path: /var/run/docker.sock
containers:
- name: name
image: image-location
volumeMounts:
- name: docker-socket
mountPath: /var/run/docker.sock
Regarding Admission Controllers, all of them are provided by kube-apiserver binary and enabled on GKE.
From the documentation about GKE:
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: my-psp
spec:
privileged: false # Prevents creation of privileged Pods
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- '*'
more examples you can find in documentation
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 疯言疯语 的文章《DenyEscalatingExec when under GKE》','https://www.manongdao.com/article-921537.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}