Kube runner build pods allow to mount Host Volume, need to be disable

Hi,

I am running Kube runner and I see builds pods allow to run if on Yaml its added the following config:
volumes: [
{
name: ‘dockersock’,
host: {
path: ‘/var/run’,
},
},
local dockerVolume = {
name: ‘dockersock’,
path: ‘/var/run’,
};

i want to completey block drone from able to mount Host Volume, I saw there is PSP for kube which not defined on runner-kube helm
can you pls update the configuration ASAP this is a serious security risk which allow user to mount host volume

when describe runner-kube I am seeing:
11:56 $ kubectl describe pods xxx-kube-drone-runner-kube-845cb7b4b5-wxprl
Name: xxxx-kube-drone-runner-kube-845cb7b4b5-wxprl
Namespace: default
Priority: 0
PriorityClassName:
Node: ip-10-207-4-189.ec2.internal/10.207.4.189
Start Time: Wed, 08 Jul 2020 20:40:18 +0300
Labels: app.kubernetes.io/component=drone-runner-kube
app.kubernetes.io/instance=xxxx-kube
app.kubernetes.io/name=drone-runner-kube
pod-template-hash=845cb7b4b5
Annotations: checksum/secrets: 6c704c6216f94c578215abef3802f32d8d007900fee35d6db067128a078199ea
kubernetes.io/psp: eks.privileged

i want to completely block drone from able to mount Host Volume, I saw there is PSP for kube which not defined on runner-kube helm can you pls update the configuration ASAP this is a serious security risk which allow user to mount host volume

mounting host volumes is blocked by default and will result in an error [1]. Only trusted projects (explicitly marked as trusted by a system admin) have the ability to use privileged features such as mounting a volume, for the security reasons you mentioned, and comes with a disclaimer in the docs:

From the docs:
This setting is only available to trusted repositories, since mounting host machine volumes is a security risk.

If you want to disable mounting host volumes you need to avoid trusted mode. Trusted mode gives projects the option to use features like host machine volumes and privileged escalation, both of which have security implications.

[1] https://github.com/drone-runners/drone-runner-kube/blob/master/engine/linter/linter.go#L105:L110

ok, but if a repo has been sets to Trusted is there any possible from underlying that I block Drone from mount host volume

If you are setting a repository as trusted, I presume you are enabling privileged containers? If you are enabling privileged containers you are effectively granting your pipeline root access to the host machine. What is the practical security benefit of blocking host machine mounts when a privileged container can already escalate access the host?

The benefit is from human mistake error, especially when I run on Kubernetes, when pipeline mount Host volume of /var/run/docker.sock it cause the worker node to stop completely and I want to prevent it, but for some reason if I need to run dind I need to set privileged containers.

In that case, you might be interested in the option to globally set docker:dind images to privileged (meaning you can remove privileged: true from the yaml). When you enable this setting you will no longer need to mark your repositories as trusted, which will in turn prevent users from mounting host volumes.

The name of the setting is DRONE_RUNNER_PRIVILEGED_IMAGES and it should be passed to the runner. The following configuration values should work:

DRONE_RUNNER_PRIVILEGED_IMAGES=docker:dind,library/docker:dind

ok, This is great option, what about secrets? does regular user can add/change/remove secrets from Org and from repo? if not, our developers are full stacks and manage the secrets by themselves, requesting them to collaborate for each secret might slow down the progerss, the meaning if I can remove them from admin role

A regular user can manage organization secrets if they are an administrator of the organization (in github).

Ok good to know, thanks!