------- Comment From boris.m...@de.ibm.com 2023-02-21 07:56 EDT------- This is a more detailed description of the problem, including SRU relevant information
SRU Justification: ================== [Problem Statement] * For IBM hyper protect virtual servers v2 (aka HPCR) we plan to leverage the `podman play kube` functionality to bring up OCI containers based on k8s pod definitions in a secure enclave * since this will be running in a secure enclave, our customers can control network connectivity, in particular connectivity to the container registries needed to pull images * the podman version available in Ubuntu 22.04 (podman v3.4.4) automatically pulls a `pause` image from `k8s.gcr.io/pause`. This has the disadvantage that connectivity is needed to `k8s.gcr.io` and in addition this pull in a potentially untrusted image * this behaviour has been fixed in a later version of podman via https://github.com/containers/podman/issues/12254 in favour of pre-packaging a podman specific version of a pause container [Impact] * with the current behaviour of podman HPCR cannot run in a private-only network configuration without access to `k8s.gcr.io`. Mitigation: HPCR could try to pre-package a copy of k8s.gcr.io/pause * HPCR relies on k8s.gcr.io/pause but we do not have open source approval for that container [Test Plan] * start any k8s payload using `podman play kube`. Then verify that `k8s.gcr.io/pause` is not part of the running containers [Where problems could occur] * the `k8s.gcr.io/pause` container is only needed to keep the cluster up, afaik there is no direct dependency on that container name by any other container or component ** Bug watch added: github.com/containers/podman/issues #12254 https://github.com/containers/podman/issues/12254 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2007972 Title: [UBUNTU 22.04] Podman play kube: brings in unwanted (untrusted) k8s pause Status in linux package in Ubuntu: New Bug description: There is a security problem (podman would try to pull an untrusted image, the pause image) that needs to be fixed in Ubuntu 22.04. The required fix is described & provided here: https://github.com/containers/podman/issues/12254 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2007972/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
