Available in VPC
Learn how to resolve issues with ML expert Platform.
Admission Policy
ML expert Platform applies its own Admission Policy to detect various security threats and provide a secure Kubernetes environment.
By default, the Admission Policy grants users only the minimum permissions required to run applications. If you see a message such as "admission webhook ... denied the request" when creating a Pod in ML expert Platform, check the solution for each Rule ID and take appropriate action.
| Rule ID | Rule Name | Description | Go to page |
|---|---|---|---|
| AR-1 | Privileged | privileged: true cannot be set | View |
| AR-6 | Host Network | spec.hostNetwork : true cannot be set | View |
| AR-7 | Host IPC | spec.hostIPC: true cannot be set | View |
| AR-8 | Host PID | spec.hostPID: true cannot be set | View |
| AR-9 | Host Path | Cannot set values for spec.volumes.hostPath | View |
| AR-10 | Host Port | Cannot set values for spec.containers.ports.hostPort | View |
| AR-13 | procMount mask | Cannot set values for spec.containers.securityContext.procMount | View |
| AR-14 | Volume Types | Only predefined Volume types are allowed | View |
[AR-1] Privileged
Privileged containers bypass container isolation and have the same privileges as the host system. This can affect resources belonging to other users.
Configuration examples
Safe configuration
apiVersion: v1
kind: Pod
metadata:
name: safe-example
spec:
containers:
- name: app
image: nginx
Unsafe configuration
apiVersion: v1
kind: Pod
metadata:
name: unsafe-example
spec:
containers:
- name: app
image: nginx
securityContext:
privileged: true #Unsafe configuration
[AR-6] Host Network
HostNetwork settings allow Pods to use the host interface, such as eth0. This enables attackers to break out of the Network Namespace isolation of development Pods and arbitrarily manipulate the host network.
Configuration examples
Safe configuration
apiVersion: v1
kind: Pod
metadata:
name: safe-example
spec:
containers:
- name: app
image: nginx
Unsafe configuration
apiVersion: v1
kind: Pod
metadata:
name: unsafe-example
spec:
hostNetwork: true #Unsafe configuration
containers:
- name: app
image: nginx
[AR-7] Host IPC
hostIPC settings allow processes in a Pod to communicate with all host processes through IPC. This enables attackers who have compromised a container to communicate with host processes through IPC, such as shared memory and message queues.
Configuration examples
Safe configuration
apiVersion: v1
kind: Pod
metadata:
name: safe-example
spec:
containers:
- name: app
image: nginx
Unsafe configuration
apiVersion: v1
kind: Pod
metadata:
name: unsafe-example
spec:
hostIPC: true #Unsafe configuration
containers:
- name: app
image: nginx
[AR-8] Host PID
hostPID settings allow Pods to access all processes on the host. This enables attackers to perform malicious actions, such as kill and attach, on all processes running on the host.
Configuration examples
Safe configuration
apiVersion: v1
kind: Pod
metadata:
name: safe-example
spec:
containers:
- name: app
image: nginx
Unsafe configuration
apiVersion: v1
kind: Pod
metadata:
name: unsafe-example
spec:
hostPID: true #Unsafe configuration
containers:
- name: app
image: nginx
[AR-9] Host Path
When using a hostPath volume mount, the isolated container filesystem can access file paths on the host. This allows attackers to take control of the host by mounting critical host system paths through incorrect hostPath settings.
Configuration examples
Safe configuration
apiVersion: v1
kind: Pod
metadata:
name: safe-example
spec:
containers:
- name: app
image: nginx
Unsafe configuration
apiVersion: v1
kind: Pod
metadata:
name: unsafe-example
spec:
volumes:
- name: host-volume
hostPath: #Unsafe configuration
path: /proc
containers:
- name: app
image: nginx
volumeMounts:
- name: host-volume
mountPath: /proc
[AR-10] Host Port
If you use hostPort, you can open any host port you want. This can cause conflicts between applications running on the host and competition between Pods to reserve host ports. Do not use hostPort unless it is required for Kubernetes management Pods.
Configuration examples
Safe configuration
apiVersion: v1
kind: Pod
metadata:
name: safe-example
spec:
containers:
- name: app
image: nginx
Unsafe configuration
apiVersion: v1
kind: Pod
metadata:
name: unsafe-example
spec:
containers:
- name: app
image: nginx
ports:
- containerPort: 80
hostPort: 80 # Unsafe configuration
[AR-13] procMount mask
Sensitive files and paths inside containers are masked or set to read-only by default because the /proc and /sys paths contain Linux system information. Sensitive information may be exposed or the host system may be affected.
Configuration examples
Safe configuration
apiVersion: v1
kind: Pod
metadata:
name: safe-example
spec:
containers:
- name: app
image: nginx
Unsafe configuration
apiVersion: v1
kind: Pod
metadata:
name: unsafe-example
spec:
containers:
- name: app
image: nginx
securityContext:
procMount: Unmasked # Unsafe configuration
[AR-14] Volume Types
ML expert Platform supports the following volume types. Creation of any other volume types is not permitted.
- configMap
- csi
- downwardAPI
- emptyDir
- configMap
- ephemeral
- persistentVolumeClaim
- projected
- secret
Configuration examples
Safe configuration
apiVersion: v1
kind: Pod
metadata:
name: safe-example
spec:
volumes:
- name: config
configMap:
name: app-config
containers:
- name: app
image: nginx
volumeMounts:
- name: config
mountPath: /etc/app
Unsafe configuration
apiVersion: v1
kind: Pod
metadata:
name: unsafe-example
spec:
volumes:
- name: nfs-path
nfs: # Unsafe configuration
server: 10.10.10.10
path: /test/path
containers:
- name: app
image: nginx
volumeMounts:
- name: nfs-path
mountPath: /nfs/path