Pod Security Standards (PSS) and Security Context Constraints (SCC)

Contributors juliantap

Kubernetes Pod Security Standards (PSS) and Pod Security Policies (PSP) define permission levels and restrict the behavior of pods. OpenShift Security Context Constraints (SCC) similarly define pod restriction specific to the OpenShift Kubernetes Engine. To provide this customization, Astra Trident enables certain permissions during installation. The following sections detail the permissions set by Astra Trident.

Note PSS replaces Pod Security Policies (PSP). PSP was deprecated in Kubernetes v1.21 and will be removed in v1.25. For more information, see Kubernetes: Security.
Permission Description

Privileged

CSI requires mount points to be Bidirectional, which means the Trident node pod must run a privileged container. For more information, see Kubernetes: Mount propagation.

Host networking

Required for the iSCSI daemon. iscsiadm manages iSCSI mounts and uses host networking to communicate with the iSCSI daemon.

Host IPC

NFS uses interprocess communication (IPC) to communicate with the NFSD.

Host PID

Required to start rpc-statd for NFS. Astra Trident queries host processes to determine if rpc-statd is running before mounting NFS volumes.

Capabilities

The SYS_ADMIN capability is provided as part of the default capabilities for privileged containers. For example, Docker sets these capabilities for privileged containers:
CapPrm: 0000003fffffffff
CapEff: 0000003fffffffff

Seccomp

Seccomp profile is always "Unconfined" in privileged containers; therefore, it cannot be enabled in Astra Trident.

SELinux

On OpenShift, privileged containers are run in the spc_t ("Super Privileged Container") domain, and unprivileged containers are run in the container_t domain. On containerd, with container-selinux installed, all containers are run in the spc_t domain, which effectively disables SELinux. Therefore, Astra Trident does not add seLinuxOptions to containers.

DAC

Privileged containers must be run as root. Non-privileged containers run as root to access unix sockets required by CSI.

Pod Security Standards (PSS)

Label Description Default

pod-security.kubernetes.io/enforce

pod-security.kubernetes.io/enforce-version

Allows the Trident Controller and nodes to be admitted into the install namespace.

Do not change the namespace label.

enforce: privileged

enforce-version: <version of the current cluster or highest version of PSS tested.>

Warning Changing the namespace labels can result in pods not being scheduled, an "Error creating: …​" or, "Warning: trident-csi-…​". If this happens, check if the namespace label for privileged was changed. If so, reinstall Trident.

Pod Security Policies (PSP)

Field Description Default

allowPrivilegeEscalation

Privileged containers must allow privilege escalation.

true

allowedCSIDrivers

Trident does not use inline CSI ephemeral volumes.

Empty

allowedCapabilities

Non-privileged Trident containers do not require more capabilities than the default set and privileged containers are granted all possible capabilities.

Empty

allowedFlexVolumes

Trident does not make use of a FlexVolume driver, therefore they are not included in the list of allowed volumes.

Empty

allowedHostPaths

The Trident node pod mounts the node’s root filesystem, therefore there is no benefit to setting this list.

Empty

allowedProcMountTypes

Trident does not use any ProcMountTypes.

Empty

allowedUnsageSysctls

Trident does not require any unsafe sysctls.

Empty

defaultAddCapabilities

No capabilities are required to be added to privileged containers.

Empty

defaultAllowPrivilegeEscalation

Allowing privilege escalation is handled in each Trident pod.

false

forbiddenSysctls

No sysctls are allowed.

Empty

fsGroup

Trident containers run as root.

RunAsAny

hostIPC

Mounting NFS volumes requires host IPC to communicate with nfsd

true

hostNetwork

iscsiadm requires the host network to communicate with the iSCSI daemon.

true

hostPID

Host PID is required to check if rpc-statd is running on the node.

true

hostPorts

Trident does not use any host ports.

Empty

privileged

Trident node pods must run a privileged container in order to mount volumes.

true

readOnlyRootFilesystem

Trident node pods must write to the node filesystem.

false

requiredDropCapabilities

Trident node pods run a privileged container and cannot drop capabilities.

none

runAsGroup

Trident containers run as root.

RunAsAny

runAsUser

Trident containers run as root.

runAsAny

runtimeClass

Trident does not use RuntimeClasses.

Empty

seLinux

Trident does not set seLinuxOptions because there are currently differences in how container runtimes and Kubernetes distributions handle SELinux.

Empty

supplementalGroups

Trident containers run as root.

RunAsAny

volumes

Trident pods require these volume plugins.

hostPath, projected, emptyDir

Security Context Constraints (SCC)

Labels Description Default

allowHostDirVolumePlugin

Trident node pods mount the node’s root filesystem.

true

allowHostIPC

Mounting NFS volumes requires host IPC to communicate with nfsd.

true

allowHostNetwork

iscsiadm requires the host network to communicate with the iSCSI daemon.

true

allowHostPID

Host PID is required to check if rpc-statd is running on the node.

true

allowHostPorts

Trident does not use any host ports.

false

allowPrivilegeEscalation

Privileged containers must allow privilege escalation.

true

allowPrivilegedContainer

Trident node pods must run a privileged container in order to mount volumes.

true

allowedUnsafeSysctls

Trident does not require any unsafe sysctls.

none

allowedCapabilities

Non-privileged Trident containers do not require more capabilities than the default set and privileged containers are granted all possible capabilities.

Empty

defaultAddCapabilities

No capabilities are required to be added to privileged containers.

Empty

fsGroup

Trident containers run as root.

RunAsAny

groups

This SCC is specific to Trident and is bound to its user.

Empty

readOnlyRootFilesystem

Trident node pods must write to the node filesystem.

false

requiredDropCapabilities

Trident node pods run a privileged container and cannot drop capabilities.

none

runAsUser

Trident containers run as root.

RunAsAny

seLinuxContext

Trident does not set seLinuxOptions because there are currently differences in how container runtimes and Kubernetes distributions handle SELinux.

Empty

seccompProfiles

Privileged containers always run "Unconfined".

Empty

supplementalGroups

Trident containers run as root.

RunAsAny

users

One entry is provided to bind this SCC to the Trident user in the Trident namespace.

n/a

volumes

Trident pods require these volume plugins.

hostPath, downwardAPI, projected, emptyDir