Default allow_privilege_escalation to False

Allows it to be set to None as well, to not set the property. This is a breaking change for hubs where admins were granting sudo rights to users. That already required some extra work, so this would be an additional propety to set for that. The added security benefit from this much more secure default is well worth the breakage IMO. Fixes #544
jupyterhub · Nov 15, 2021 · 4258795 · 4258795
1 parent fdfa2ad
commit 4258795
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 5 deletions.
diff --git a/kubespawner/objects.py b/kubespawner/objects.py
@@ -64,7 +64,7 @@ def make_pod(
     fs_gid=None,
     supplemental_gids=None,
     privileged=False,
-    allow_privilege_escalation=True,
+    allow_privilege_escalation=False,
     container_security_context=None,
     pod_security_context=None,
     env=None,
@@ -166,6 +166,7 @@ def make_pod(
 
     allow_privilege_escalation:
         Controls whether a process can gain more privileges than its parent process.
+        Functionally, determines if setuid binaries (like sudo) work.
 
     container_security_context:
         A kubernetes securityContext to apply to the container.
@@ -424,8 +425,8 @@ def make_pod(
         csc["runAsGroup"] = int(gid)
     if privileged:  # false as default
         csc["privileged"] = True
-    if not allow_privilege_escalation:  # true as default
-        csc["allowPrivilegeEscalation"] = False
+    if allow_privilege_escalation is not None:  # false as default
+        csc["allowPrivilegeEscalation"] = allow_privilege_escalation
     if container_security_context:
         for key in container_security_context.keys():
             if "_" in key:

diff --git a/kubespawner/spawner.py b/kubespawner/spawner.py
@@ -913,13 +913,18 @@ def _validate_image_pull_secrets(self, proposal):
     )
 
     allow_privilege_escalation = Bool(
-        True,
+        False,
+        allow_none=True,
         config=True,
         help="""
         Controls whether a process can gain more privileges than its parent process.
 
+        When set to False (the default), the primary user visible effect is that
+        setuid binaries (like sudo) will no longer work.
+
+        When set to None, the defaults for the cluster are respected.
+
         This bool directly controls whether the no_new_privs flag gets set on the container
-        process.
 
         AllowPrivilegeEscalation is true always when the container is:
         1) run as Privileged OR 2) has CAP_SYS_ADMIN.