[question] Run privileged necessary?

[rolfw]

The example Kubernetes deploment.yaml contains allowPrivilegeEscalation: true and privileged: true.

This seems like a security risk, so I'm wondering if this is necessary for proper operation of the container.

If so, what is it needed for, and how can privileges be limited to the meet the minimal requirements only?

[robertsLando]

@chrisns I think you made that file

[chrisns]

Hey
Yes, it's lazy, you can probably find a way to run as non-root and secomp what's needed to talk to the usb device. It's just not something I'd looked at yet.
It would be best practice, so a PR would be great if you want to figure it out and we can update the k8s and docker docs

[robertsLando]

@rolfw btw mind that this project is not maintained anymore, I suggest you to switch to zwavejs version

[rolfw]

Having done some research, it seems that k8s doesn't support an equivalent of Docker's --device flag yet: add support for host devices #5607. In issue comments the most mentioned approach is to use a Device Plugin and the only implementation I found was SMARTER Device Manager

Device plugins need to run as a daemon pod and they still need to run privileged, but at least this reduces attack surface since the main pod can run unprivileged and the daemon pod isn't listening on any ports (assuming it interacts with the kubelet directly).

Another approach I researched was to explicitly allow access to a particular path in /dev/* only, using something like SELinux, AppArmor or linux capabilities. Capabilities seem to be the most promising, since either SELinux and AppArmor needs to be installed on the node before pod-specific configuration is effective. So this would complicate deployment for users of zwave2mqtt who don't have that installed already.

I found a pull request for chaosmesh where they appear to have implemented this for the same reason: Remove privileged and add some capabilities (#1109) #1126.

I didn't get around to experimenting with any of this yet, but I might have some time in the next week or two to see if I can get it to work.

[rolfw]

@rolfw btw mind that this project is not maintained anymore, I suggest you to switch to zwavejs version

Thanks for mentioning, I wasn't aware of that. Maybe a good idea to include that in the readme of this repo as well. Is that project functionally equivalent and stable?

[chrisns]

@rolfw
Thanks for mentioning, I wasn't aware of that. Maybe a good idea to include that in the readme of this repo as well. Is that project functionally equivalent and stable?

Functionality superior, probably more stable (subjective)

[chrisns]

I didn't get around to experimenting with any of this yet, but I might have some time in the next week or two to see if I can get it to work.

Yes. Your summary of findings is roughly what I was expecting. It's not a unique problem really, wanting to expose a /dev device to a non-root user so should all be possible

Feel free to join the slack and we can work on it together if you like