Domino leverages Kubernetes security contexts to deploy pods with the least privileges necessary for them to function.
By default, pods created by Domino run with the following settings:
-
Run as a non-root user with
runAsRoot: false
,runAsNonRoot: true
, andprivileged: false
set. -
Acquisition of additional system-level
capabilities
must be prevented withdrop: ["ALL"]
.
Domino does not support a policy where readOnlyRootFilesystem
is set.
In addition, due to inconsistency between SELinux support and volume relabeling, all Domino pods run with an SELinux type option spc_t
.
This setting purposefully bypasses volume relabeling due to the performance impact of volume relabeling while creating Domino user workloads.
Pods that do not adhere to the policies above, such as requiring root privileges or additional capabilities, are documented below with privileged
indicating pods that need additional user or root privileges and capabilities
indicated pods that may require additional system-level capabilities.
Pod Name | Exceptions | Description |
---|---|---|
|
| Requires access to host node resources in order to provision and manage AWS EBS volumes for Domino. Will not be installed if AWS EBS is not configured as a storage provider during installation. |
|
| Requires access to host node resources in order manage AWS EFS volumes for Domino. Will not be installed if AWS EFS is not configured as a storage provider during installation. |
|
| Requires access to host node resources in order manage AWS EFS volumes for Domino. Will not be installed if AWS EFS is not configured as a storage provider during installation. |
|
| Requires access to host node resources in order to manage SMB volumes for Domino. Will not be installed if SMB volume management is not configured during installation. |
|
| Requires access to host node resources in order to manage SMB volumes for Domino. Will not be installed if SMB volume management is not configured during installation. |
|
| Requires access to host node resources in order to communicate with NVIDIA host engine and expose GPU metrics. Will only run on nodes with NVIDIA GPUs. An option to disable this service is available by setting gpu_monitoring_enabled to false in deploy.yaml |
|
| Requires access to host node resources in order to manage trusted certificates for Docker when Domino is configured to use a self-provided image registry. Will not be installed if an external Docker registry is configured during installation. |
|
| Requires privileged access to filesystem resources for data backup. |
|
| Requires privileged access to filesystem resources for data backup. |
|
| Requires privileged access to filesystem resources for disaster recovery and data access. This service does not run by default and must be enabled by admins when needed. |
|
| Requires privileged access to system in order to set a mandatory system limit. If the system setting can be managed outside of Domino, elevated privileges can be removed by setting the following:
|
|
| Requires access to host node resources in order to audit system events using eBPF. |
|
| Requires access to host node resources in order to follow container logs which are used to view workload output within Domino. |
|
| BuildKit powers container image building for the environments feature of Domino. By default, requires privileged access in order to utilize
|
|
| Requires access to host node resources in order to communicate with the container runtime when caching container images for faster workload scheduling. Can be disabled by setting the following:
|
|
| Requires access to host node resources in order to facilitate network setup for Istio. Will not be installed if Istio is not enabled or the CNI option is disabled. |
|
| Requires access to host node resources in order to effectively monitor CPU, memory, network, and disk usage and report to New Relic. Will not be installed if New Relic is not configured for Domino during installation. |
|
| Requires access to host node resources in order to follow container logs and report to New Relic. Will not be installed if New Relic is not configured for Domino during installation. |
|
| NFS Client Provisioner requires privileged access to filesystem resources in order to manage NFS volumes for Domino. Will not be installed if NFS is not configured as a storage provider during installation. |
|
| Requires access to host node resources in order to communicate with the Kubernetes device API and expose NVIDIA GPU resources to the cluster. Will not be installed if GPU capabilities are not configuring during installation. |
|
| Requires access to host node resources in order to communicate with the Kubernetes device API and expose NVIDIA GPU resources to the cluster. Will not be installed if GPU capabilities are not configuring during installation. |
|
| Requires access to host node resources in order to install and manage NVIDIA drivers for GPU-enabled instance types. Only required for installations on GKE clusters. |
|
| Requires access to host node resources in order to manage storage volumes. Will not be installed if OpenEBS is not configured as a storage provider during installation. |
|
| Requires access to host node resources in order to communicate with the Kubernetes device API and expose FUSE devices to the cluster. |
All user-generated pods from workspaces, jobs, apps, or on-demand compute clusters run with a user and capabilities according to the Central Configuration entry for com.cerebro.domino.computegrid.kubernetes.nonRootExecutions.enabled
.
See Central Configuration and non-root executions release notes for details.
All user-generated pods from models run as a non-root user but with privilege-escalation capability.
Please see Pod Security Policies for an overview of how policies are enforced and specific information about the removal of Pod Security Policies in Kubernetes v1.25.