kolla-kubernetes

Nova API runs as privileged container

Bug #1649103 reported by Pete Birley on 2016-12-11

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	kolla-kubernetes	In Progress	Medium	Pete Birley

Bug Description

The current implementation of kolla-k8s runs the Nova-API container in the Nova-API pod with elevated privileges, as a result of some unnecessary iptables commands run upon starting the Nova-Metadata API. This is not required when running in Kubernetes, and presents a potential security risk.

Revision history for this message

Pete Birley (portdirect) wrote on 2016-12-11:

A potential solution to this issue is here: https://github.com/portdirect/harbor/tree/latest/docker/openstack/openstack-nova/openstack-nova-api-metadata/assets/sbin, though it would be nicer to find a more elegant way.

Changed in kolla-kubernetes:
importance:	Undecided → Medium
assignee:	nobody → Pete Birley (portdirect)
status:	New → In Progress

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.