Rights to read /dev/tty0 from pod

Question

I'm trying to understand how securityContext work in my cluster (k8s v 1.24 & the node is an Ubuntu 18.04).

I simply want to do a simple cat /dev/tty0 from the container.

Here is my simplified configuration of the node :

bash-4.2# ls -al /dev/tty0
crw--w---- 1 root tty 4, 0 Jul 25 05:16 /dev/tty0

bash-4.2# grep tty /etc/group
tty:x:5

I mounted /dev/tt0 to access it from the container & run the container with group Id 5 & userId 0 (i tried also without the runAsUser but the behaviour is the same)

spec:
  volumes:
    - name: tty
      hostPath:
        path: /dev/tty0
  containers:
    - name: mycontainer
      image: ...
      volumeMounts:
        - name: tty
          mountPath: /dev/tty0
      securityContext:
        runAsUser: 0
        runAsGroup: 5

When I log in the container:

bash-4.2# id
uid=0(root) gid=5(tty) groups=5(tty)
bash-4.2# ls -al /dev/tty0
crw--w---- 1 root tty 4, 0 Jul 25 05:16 /dev/tty0

But i cannot access /dev/tty0.

bash-4.2# cat /dev/tty0
cat: /dev/tty0: Operation not permitted

While from the node I don't have this error message.

This is just for testing purpose, my originale use case is the launching of Xorg but I get the Operation not permitted error message.

I tried adding the "privileged: true" securityContext, and with this it works. However, it is not a good practise to use this maximum capacity to the container and I'm trying to understand what is the minimal security context to give to the pod.

Thanks!

Answer 1

The securityContext specifies that the container should run as the user with UID0 and GID 5. When the container runs with root privileges, it still could have certain restrictions imposed by the underlying container runtime for security reasons.

In your case, the issue is, that accessing /dev/tty0 typically requires elevated privileges because it's a critical device file representing the first virtual terminal.

You can grant elevated privileges like this:

apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  volumes:
    - name: tty
      hostPath:
        path: /dev/tty0
  containers:
    - name: mycontainer
      image: ...
      volumeMounts:
        - name: tty
          mountPath: /dev/tty0
      securityContext:
        privileged: true

But attention, It's generally a good practice to run containers with the least privileged user necessary to perform their intended task, because running a container with root privileges can be dangerous as it allows direct access to system resources and can compromise the host system