[jira] [Commented] (YARN-8376) Separate white list for docker.trusted.registries and docker.privileged-container.registries

[Eric Yang (JIRA)]

    [ 
https://issues.apache.org/jira/browse/YARN-8376?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16790046#comment-16790046
 ] 

Eric Yang commented on YARN-8376:
---------------------------------

[~ebadger] {quote}I'm just having a hard time seeing a use case where you would 
run a privileged container with very sensitive information and then not trust a 
non-privileged container with that same information.{quote}

Privileged image might be used for admin purpose, private information like 
container-executor binary, Jenkins master secrets Kerberos master keys, or ssh 
private keys.  In the perfect world, the private information are unique and 
generated per instance launch.  However, it is possible that admin uses the 
controlled image as source of truth because some legacy app has secrets hard 
coded.  In this case, private information might become accessible to 
non-privileged users because allowing access of the container image with 
relaxed access control on privileged registries.  This is the reason that we 
have to choose necessity over ease of use in this case.

> Separate white list for docker.trusted.registries and 
> docker.privileged-container.registries
> --------------------------------------------------------------------------------------------
>
>                 Key: YARN-8376
>                 URL: https://issues.apache.org/jira/browse/YARN-8376
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>            Priority: Major
>              Labels: docker
>         Attachments: YARN-8376.001.patch, YARN-8376.002.patch
>
>
> In the ideal world, it would be possible to have separate white lists for 
> docker registry depending on the security requirement for each type of docker 
> images:
> 1. Registries from which we can run non-privileged containers without mounts
> 2. Registries from which we can run non-privileged containers with mounts
> 3. Registries from which we can run privileged or non-privileged containers 
> with mounts
> In the current implementation, there are only type 1 and type 2 or 3.  It 
> would be nice to definite a separate white list to differentiate between 2 
> and 3.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org