github/capsule
1
0
Fork 0
mirror of https://github.com/projectcapsule/capsule.git synced 2026-05-05 17:06:40 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
25f021e151a7c93e648b91a834baf4bb655ba1d9
capsule/docs/operator/use-cases/images-pullpolicy.md
Dario Tranchitella e7b33bda26 docs: documenting ImagePullPolicy enforcement
2021-06-14 10:53:55 +02:00

1.4 KiB
Raw Blame History

Enforcing Pod containers image PullPolicy

Bill is a cluster admin providing a Container as a Service platform using shared nodes.

Alice, a Tenant Owner, can start container images using private images: according to the Kubernetes architecture, the kubelet will download the layers on its cache.

Bob, an attacker, could try to schedule a Pod on the same node where Alice is running their Pod backed by private images: they could start new Pods using ImagePullPolicy=IfNotPresent and able to start them, even without required authentication since the image is cached on the node.

To avoid this kind of attack all the Tenant Owners must start their Pods using the ImagePullPolicy to Always, enforcing the kubelet to check the authorization first.

Capsule provides a way to enforce this behavior, as follows.

apiVersion: capsule.clastix.io/v1alpha1
kind: Tenant
metadata:
  name: oil
  annotations:
    capsule.clastix.io/allowed-image-pull-policy: Always
spec:
  owner:
    name: alice
    kind: User

If you need to address specific use-case, the said annotation supports multiple values comme separated

capsule.clastix.io/allowed-image-pull-policy: Always,IfNotPresent

Whats next

See how Bill, the cluster admin, can assign trusted images registries to Alice's tenant. Assign Trusted Images Registries.

Reference in New Issue View Git Blame Copy Permalink