[jira] [Commented] (YARN-8376) Separate white list for docker.trusted.registries and docker.privileged-container.registries

Mon, 11 Mar 2019 15:44:42 -0700 


    [ 
https://issues.apache.org/jira/browse/YARN-8376?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16790028#comment-16790028
 ] 

Eric Badger commented on YARN-8376:
-----------------------------------

bq. If docker.privileged-containers.registries is a superset, user might be 
granted access to secrets or setuid binaries by accident that he might not have 
access otherwise.
I'm curious of what scenario there would be where you would put more sensitive 
information in images that are run as privileged than in ones that are run 
without privilege. Fine-grained control makes sense to me. I'm just having a 
hard time seeing a use case where you would run a privileged container with 
very sensitive information and then not trust a non-privileged container with 
that same information. 

bq. I think this is controlled by: docker.privileged-containers.enabled=true 
flag.
Oh, right. Yea that's right. I forgot we added an explicit enable flag. 
Disregard my comment on this.

> Separate white list for docker.trusted.registries and 
> docker.privileged-container.registries
> --------------------------------------------------------------------------------------------
>
>                 Key: YARN-8376
>                 URL: https://issues.apache.org/jira/browse/YARN-8376
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>            Priority: Major
>              Labels: docker
>         Attachments: YARN-8376.001.patch, YARN-8376.002.patch
>
>
> In the ideal world, it would be possible to have separate white lists for 
> docker registry depending on the security requirement for each type of docker 
> images:
> 1. Registries from which we can run non-privileged containers without mounts
> 2. Registries from which we can run non-privileged containers with mounts
> 3. Registries from which we can run privileged or non-privileged containers 
> with mounts
> In the current implementation, there are only type 1 and type 2 or 3.  It 
> would be nice to definite a separate white list to differentiate between 2 
> and 3.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to