[UBUNTU 22.04] Podman play kube: brings in unwanted (untrusted) k8s pause
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
High
|
Skipper Bug Screeners | ||
libpod (Ubuntu) |
Fix Released
|
High
|
Ubuntu Security Team | ||
Jammy |
Fix Released
|
High
|
Unassigned | ||
Kinetic |
Won't Fix
|
High
|
Unassigned |
Bug Description
SRU Justification:
------------------
[ Impact ]
* Pods no longer need k8s/pause,
but podman play kube still fetches it.
* That can be seen as a security problem,
since podman tries to pull this untrusted image.
* https:/
[ Test Plan ]
* Like described on upstream issue:
* $ bin/podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
$ printf "apiVersion: v1\nkind: Pod\nmetadata:\n name: foo\n" | env \
CONTAINER_
Pod:
738622313f1f
* $ bin/podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost/
k8s.gcr.io/pause 3.5 ed210e3e4a5b 7 months ago 690 kB
* It's expected to see localhost/
[ Where problems could occur ]
* Problems could occur if someone makes accidentally use of the image.
which should't be the case.
* Or if there is no local podman-pause or it doesn't built properly.
* In case of issues with the modification in func pullImage(*),
the general pull of images could be harmed.
[ Other Info ]
* The PR 12280 fixes this with commits f517510bc8c11f6
This commit is upstream since 4.0.0.
* Since there is a libpod 4.3.1+ds1-5 in lunar-proposed,
lunar is (soon) not affected.
__________
There is a security problem (podman would try to pull an untrusted image, the pause image) that needs to be fixed in Ubuntu 22.04.
The required fix is described & provided here:
https:/
tags: | added: architecture-s39064 bugnameltc-201616 severity-high targetmilestone-inin--- |
Changed in ubuntu: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
affects: | ubuntu → linux (Ubuntu) |
information type: | Public → Private Security |
affects: | linux (Ubuntu) → libpod (Ubuntu) |
Changed in ubuntu-z-systems: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
Changed in libpod (Ubuntu): | |
assignee: | Skipper Bug Screeners (skipper-screen-team) → Ubuntu Security Team (ubuntu-security) |
importance: | Undecided → High |
Changed in ubuntu-z-systems: | |
importance: | Undecided → High |
description: | updated |
tags: | added: patch |
Changed in ubuntu-z-systems: | |
status: | In Progress → Fix Released |
------- Comment From <email address hidden> 2023-02-21 07:56 EDT-------
This is a more detailed description of the problem, including SRU relevant information
SRU Justification:
==================
[Problem Statement] /github. com/containers/ podman/ issues/ 12254 in favour of pre-packaging a podman specific version of a pause container
* For IBM hyper protect virtual servers v2 (aka HPCR) we plan to leverage the `podman play kube` functionality to bring up OCI containers based on k8s pod definitions in a secure enclave
* since this will be running in a secure enclave, our customers can control network connectivity, in particular connectivity to the container registries needed to pull images
* the podman version available in Ubuntu 22.04 (podman v3.4.4) automatically pulls a `pause` image from `k8s.gcr.io/pause`. This has the disadvantage that connectivity is needed to `k8s.gcr.io` and in addition this pull in a potentially untrusted image
* this behaviour has been fixed in a later version of podman via https:/
[Impact]
* with the current behaviour of podman HPCR cannot run in a private-only network configuration without access to `k8s.gcr.io`. Mitigation: HPCR could try to pre-package a copy of k8s.gcr.io/pause
* HPCR relies on k8s.gcr.io/pause but we do not have open source approval for that container
[Test Plan]
* start any k8s payload using `podman play kube`. Then verify that `k8s.gcr.io/pause` is not part of the running containers
[Where problems could occur]
* the `k8s.gcr.io/pause` container is only needed to keep the cluster up, afaik there is no direct dependency on that container name by any other container or component