Online / 6 & 7 February 2021


KubeVirt: privilege dropping one capability at a time

KubeVirt's architecture is composed of two main components: virt-handler, a trusted DaemonSet, running in each node, which operates as the virtualization agent, and virt-launcher, an untrusted Kubernetes pod encapsulating a single libvirt + qemu process.

To reduce the attack surface of the overall solution, the untrusted virt-launcher component should run with as little linux capabilities as possible.

The goal of this talk is to explain the journey to get there, and the steps taken to drop CAPNETADMIN, and CAPNETRAW from the untrusted component.

This talk will encompass changes in KubeVirt and Libvirt, and requires some general prior information about networking (dhcp / L2 networking).


Miguel Barroso