Pod Security Standards (PSS) and Security Context Constraints (SCC)
Kubernetes Pod Security Standards (PSS) and Pod Security Policies (PSP) define permission levels and restrict the behavior of pods. OpenShift Security Context Constraints (SCC) similarly define pod restriction specific to the OpenShift Kubernetes Engine. To provide this customization, Trident enables certain permissions during installation. The following sections detail the permissions set by Trident.
PSS replaces Pod Security Policies (PSP). PSP was deprecated in Kubernetes v1.21 and will be removed in v1.25. For more information, Refer to Kubernetes: Security. |
Required Kubernetes Security Context and Related Fields
Permission | Description |
---|---|
Privileged |
CSI requires mount points to be Bidirectional, which means the Trident node pod must run a privileged container. For more information, refer to Kubernetes: Mount propagation. |
Host networking |
Required for the iSCSI daemon. |
Host IPC |
NFS uses interprocess communication (IPC) to communicate with the NFSD. |
Host PID |
Required to start |
Capabilities |
The |
Seccomp |
Seccomp profile is always "Unconfined" in privileged containers; therefore, it cannot be enabled in Trident. |
SELinux |
On OpenShift, privileged containers are run in the |
DAC |
Privileged containers must be run as root. Non-privileged containers run as root to access unix sockets required by CSI. |
Pod Security Standards (PSS)
Label | Description | Default |
---|---|---|
|
Allows the Trident Controller and nodes to be admitted into the install namespace. |
|
Changing the namespace labels can result in pods not being scheduled, an "Error creating: …" or, "Warning: trident-csi-…". If this happens, check if the namespace label for privileged was changed. If so, reinstall Trident.
|
Pod Security Policies (PSP)
Field | Description | Default |
---|---|---|
|
Privileged containers must allow privilege escalation. |
|
|
Trident does not use inline CSI ephemeral volumes. |
Empty |
|
Non-privileged Trident containers do not require more capabilities than the default set and privileged containers are granted all possible capabilities. |
Empty |
|
Trident does not make use of a FlexVolume driver, therefore they are not included in the list of allowed volumes. |
Empty |
|
The Trident node pod mounts the node's root filesystem, therefore there is no benefit to setting this list. |
Empty |
|
Trident does not use any |
Empty |
|
Trident does not require any unsafe |
Empty |
|
No capabilities are required to be added to privileged containers. |
Empty |
|
Allowing privilege escalation is handled in each Trident pod. |
|
|
No |
Empty |
|
Trident containers run as root. |
|
|
Mounting NFS volumes requires host IPC to communicate with |
|
|
iscsiadm requires the host network to communicate with the iSCSI daemon. |
|
|
Host PID is required to check if |
|
|
Trident does not use any host ports. |
Empty |
|
Trident node pods must run a privileged container in order to mount volumes. |
|
|
Trident node pods must write to the node filesystem. |
|
|
Trident node pods run a privileged container and cannot drop capabilities. |
|
|
Trident containers run as root. |
|
|
Trident containers run as root. |
|
|
Trident does not use |
Empty |
|
Trident does not set |
Empty |
|
Trident containers run as root. |
|
|
Trident pods require these volume plugins. |
|
Security Context Constraints (SCC)
Labels | Description | Default |
---|---|---|
|
Trident node pods mount the node's root filesystem. |
|
|
Mounting NFS volumes requires host IPC to communicate with |
|
|
iscsiadm requires the host network to communicate with the iSCSI daemon. |
|
|
Host PID is required to check if |
|
|
Trident does not use any host ports. |
|
|
Privileged containers must allow privilege escalation. |
|
|
Trident node pods must run a privileged container in order to mount volumes. |
|
|
Trident does not require any unsafe |
|
|
Non-privileged Trident containers do not require more capabilities than the default set and privileged containers are granted all possible capabilities. |
Empty |
|
No capabilities are required to be added to privileged containers. |
Empty |
|
Trident containers run as root. |
|
|
This SCC is specific to Trident and is bound to its user. |
Empty |
|
Trident node pods must write to the node filesystem. |
|
|
Trident node pods run a privileged container and cannot drop capabilities. |
|
|
Trident containers run as root. |
|
|
Trident does not set |
Empty |
|
Privileged containers always run "Unconfined". |
Empty |
|
Trident containers run as root. |
|
|
One entry is provided to bind this SCC to the Trident user in the Trident namespace. |
n/a |
|
Trident pods require these volume plugins. |
|