Brussels / 2 & 3 February 2019

schedule

Rootless Kubernetes

Running Kubernetes and CRI/OCI Runtimes as an unprivileged user


Kubernetes supports several security mechanisms such as Seccomp, Apparmor, SELinux, and runAsUser for protecting the hosts from container-breakout attacks. However, these mechanisms are not sufficient for the security demand because Kubelet and CRI/OCI runtimes require the root privileges on the hosts, and these components are seriously bug-prone. The dependency on the root privileges has been also problematic for promoting Kubernetes to the HPC world, where users are often disallowed to install software as the root.

In this talk, Akihiro and Giuseppe will show the community’s ongoing work for making Kubernetes deployable and runnable as a non-root user, by using User Namespaces. The main topics of discussion will be UID/GID mapping, unprivileged Copy-on-Write filesystems, Usermode networking (Slirp), and Cgroups.

Speakers

Photo of Akihiro Suda Akihiro Suda
Photo of Giuseppe Scrivano Giuseppe Scrivano

Links