New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
request NET_RAW capabilities in CNI manifests #2063
Conversation
The only additional capability will be this - "Use RAW and PACKET sockets;". Thanks for the PR, we will look into it. |
Also instead of updating in the sample manifests since this would add additional capabilities for every user by default, will you be able to use helm and you can either update in https://github.com/aws/amazon-vpc-cni-k8s/blob/master/charts/aws-vpc-cni/values.yaml or use "set" to include the capability? |
@jayanthvn, I was the one that found this issue while working on internal stuff so I wanted to chime in. This won't change the default permissions for anyone. If Edit - Forgot to say, I'm from the same team as @JingmingGuo |
Thanks for pointing! Yes we should add this additional capabilities for every user by default. I updated and I'm looking forward to the reply. |
Sorry for the confusion, I meant not everyone would need NET_RAW capability. I feel this has to be added on need basis. Please let me know your thoughts. |
Thanks for the response @jayanthvn! I did a little testing (v1.10.2 of the plugin) to see if I could get the plugin running with NET_RAW explicitly dropped. Here's my securityContext: securityContext:
capabilities:
add:
- NET_ADMIN
drop:
- NET_RAW When I set {"level":"error","ts":"2022-08-19T18:19:03.111Z","caller":"aws-k8s-agent/main.go:27","msg":"Initialization failure: ipamd init: failed to set up host network: host network setup: failed to add chain: running [/usr/sbin/iptables -t nat -N AWS-SNAT-CHAIN-0 --wait]: exit status 3: iptables v1.8.4 (legacy): can't initialize iptables table `nat': Permission denied (you must be root)\nPerhaps iptables or your kernel needs to be upgraded.\n"} I also tried the reversed configuration (enabling IPv6 and disabling IPv4) and got the following logs: {"level":"error","ts":"2022-08-19T18:22:54.759Z","caller":"aws-k8s-agent/main.go:27","msg":"Initialization failure: ipamd init: failed to set up host network: failed to enable IPv6: setupVeth network: failed to setup route to block pod access via IPv4 address: failed adding v4 drop route: running [/usr/sbin/iptables -t filter -I FORWARD 1 -d 169.254.172.0/22 -m conntrack --ctstate NEW -m comment --comment Block Node Local Pod access via IPv4 -j REJECT --wait]: exit status 3: conntrack: Could not determine whether revision 1 is supported, assuming it is.\nconntrack: Could not determine whether revision 2 is supported, assuming it is.\nconntrack: Could not determine whether revision 3 is supported, assuming it is.\nconntrack: Could not determine whether revision 3 is supported, assuming it is.\nconntrack: Could not determine whether revision 3 is supported, assuming it is.\nconntrack: Could not determine whether revision 2 is supported, assuming it is.\nconntrack: Could not determine whether revision 3 is supported, assuming it is.\nconntrack: Could not determine whether revision 2 is supported, assuming it is.\nconntrack: Could not determine whether revision 1 is supported, assuming it is.\niptables v1.8.4 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)\nPerhaps iptables or your kernel needs to be upgraded.\n"} In both cases the logs seem to indicate https://github.com/aws/amazon-vpc-cni-k8s/blob/v1.10.2/pkg/ipamd/ipamd.go#L457-L461 is causing the error. Just glancing at the code, I don't see any way to configure the plugin to avoid invoking iptables, which seems to require NET_RAW. Let me know if you can reproduce. I didn't exhaustively test configuration, so I might be missing a case where iptables is not used. |
Yes the plugin will require iptables and there is no scenario where we won't use. regarding your use case -> "Our application request NET_RAW capabilities that calls If you are on K8S slack, we can sync up on a time slot and get on a call to further discuss about this. |
Thanks for taking the time to set the discussion meeting with us today. @S-Chan explained the reason and the fact why everyone needs NET_RAW. I just put the summary here for easier tracking: AWS VPC CNI k8s use coreos/go-iptables/iptables for networking in multiple places(e.g.
Netfilter iptables includes libiptc: https://git.netfilter.org/iptables/tree/include/iptables.h#n6 which uses RAW sockets: https://git.netfilter.org/iptables/tree/libiptc/libiptc.c#n1312. So that all the users use AWS VPC CNI k8s will need the CAP_NET_RAW which is reasonable to set as default. Also prevent the failures if users didn't notice it. |
Hi @JingmingGuo, thanks for the PR! I was able to verify that
When I removed
Also verified that
@renan-airbnb 's comment is valid:
We will need to include |
@JingmingGuo can you please update the branch? |
Sure I updated the branch. |
4a47946
to
f22b4d1
Compare
@JingmingGuo thanks for updating, but you might still need to run |
Thanks for pointing! I run 'make format' and updated the PR. See the checks have passed now. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, lgtm!
* request NET_RAW capabilities in CNI manifests * add request NET_RAW capabilities in chart and jsonnet * update format
What type of PR is this?
feature
Which issue does this PR fix:
#2061
What does this PR do / Why do we need it:
This PR request NET_RAW Capabilities in CNI manifests. Linux NET_RAW capabilities let us use RAW and PACKET sockets; bind to any address for transparent proxying which is quite powerful. Our application request NET_RAW capabilities that calls
iptables, which opens up a SOCK_RAW netlink socket to configure
netfilter settings. It's likely the VPC CNI will continue needing NET_RAW in the future and to be used by other applications.
If an issue # is not available please add repro steps and logs from IPAMD/CNI showing the issue:
Testing done on this change:
Automation added to e2e:
Will this PR introduce any new dependencies?:
No.
Will this break upgrades or downgrades. Has updating a running cluster been tested?:
No.
Does this change require updates to the CNI daemonset config files to work?:
Does this PR introduce any user-facing change?:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.