Running Not Root Made Easy

The presentation discusses the challenges and solutions of running Kubernetes workloads without a root user, with a focus on the Kubevirt project. The speaker emphasizes the importance of security and usability in implementing security features.

• Kubevirt is a Kubernetes extension for running virtual machines alongside containers
• Transitioning to non-root users for pods running virtual machines posed challenges
• Problems with running Kubernetes workloads without a root user are common and can be discouraging
• The principle of least privilege reduces the surface for exploitation and makes it harder for attackers to gain privileges
• Tools like Pod Security Standards and restrictive policies can help enforce security
• The solution to managing categories is to use context-specific mount points with container cell Linux labels
• Security features must be usable and easily adoptable by end users to ensure secure environments

The speaker shares that Kubevirt faced interesting problems in transitioning to non-root users for pods running virtual machines. They emphasize that these problems are not specific to Kubevirt and can be encountered by anyone transitioning to non-root users. The speaker also highlights the importance of making security features usable and consumable by end users to ensure secure environments.

Kubevirt project recently transitioned to using non-root users for pods running virtual machines (VMs). The journey was far from smooth, and there were a number of problems that we had to overcome to achieve this. Most of the problems are not specific to Kubevirt: Anybody coming to Kubernetes or transitioning their application to non-root can run into these same problems and feel discouraged. But don't worry, you can learn from our journey. This presentation will run through the general problems of running Kubernetes workloads without a root user, the solutions that are available now, and the features that are coming to Kubernetes. By the end of this talk, you should be able to understand the problems behind running as non-root and be able to secure your application much easier!