kubernetes: exec does not respect `allowPrivilegeEscalation: false`

What happened:

When running a container with allowPrivilegeEscalation: false the pid 1 process and its children have NoNewPrivs: 1. If I start an additional process in the same container using exec, the flag is set to 0.

What you expected to happen:

Processes started by exec should share the same settings as defined for the pid 1 process. This is true for capabilities for example.

How to reproduce it (as minimally and precisely as possible):

create a pod:

apiVersion: v1
kind: Pod
metadata:
  name: privs-test
spec:
  containers:
    # environment will get injected by Jenkins kubernetes plugin
  - name: busybox
    image: busybox
    command: ["tail", "-f", "/dev/null"]
    securityContext:
      allowPrivilegeEscalation: false

$ kubectl exec -it privs-test -- /bin/sh
/ # grep NoNewPrivs /proc/1/status    
NoNewPrivs:     1                     
/ # grep NoNewPrivs /proc/$$/status   
NoNewPrivs:     0                     
/ # exit

Anything else we need to know?:

Environment:

  • Kubernetes version (use kubectl version): Server Version: version.Info{Major:“1”, Minor:“12”, GitVersion:“v1.12.4”,

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 20 (17 by maintainers)

Most upvoted comments

I think this is caused by https://github.com/moby/moby/issues/38865

+1
Random-Liu on Mar 13, 2019
Read more comments on GitHub
← kubernetes: Exceeding the ephemeral storage limit not causing eviction in critical pods
kubernetes: Exec liveness probe does not honor timeoutSeconds on 1.20.7 →