-
Notifications
You must be signed in to change notification settings - Fork 2.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add new page on securing Cilium pod access
Signed-off-by: ZSC <sarah.corleissen@isovalent.com>
- Loading branch information
1 parent
3a82250
commit 6be80ca
Showing
4 changed files
with
56 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -24,3 +24,4 @@ Securing Networks with Cilium | |
aws | ||
policy-creation | ||
host-firewall | ||
restrict-pod-access |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
.. only:: not (epub or latex or html) | ||
|
||
WARNING: You are looking at unreleased Cilium documentation. | ||
Please use the official rendered version released here: | ||
https://docs.cilium.io | ||
|
||
.. _security_restrict_pod_access: | ||
|
||
======================================== | ||
Restricting privileged Cilium pod access | ||
======================================== | ||
|
||
This page shows you how to restrict privileged access to Cilium pods by limiting access from the Kubernetes API, specifically from `kubernetes exec pod`_. | ||
|
||
.. include:: gsg_requirements.rst | ||
|
||
Background | ||
---------- | ||
|
||
The Cilium agent needs some specific Linux capabilities to perform essential system and network operations. | ||
|
||
Cilium relies on Kubernetes and containers to set up the environment and mount the corresponding volumes. Cilium doesn't perform any extra operations that could result in an unsafe volume mount. | ||
|
||
Cilium needs kernel interfaces to properly configure the environment. Some kernel interfaces are part of the ``/proc`` filesystem, which includes host and machine configurations that can't be virtualized or namespaced. | ||
|
||
If ``pod exec`` operations aren't restricted, then remote `exec into pods`_ and containers defeats Linux namespace restrictions. | ||
|
||
The Linux kernel restricts joining other namespaces by default. To enter the Cilium container, the ``CAP_SYS_ADMIN`` capability is required in both the current user namespace and in the Cilium user namespace (the initial namespace). If both namespaces have the ``CAP_SYS_ADMIN`` capability, then this is already a privileged access. | ||
|
||
To prevent privileged access to Cilium pods, restrict access to the Kubernetes API and arbitrary ``pod exec`` operations. | ||
|
||
Restrict authorization for ``kubernetes exec pod`` | ||
-------------------------------------------------- | ||
|
||
To restrict access to Cilium pods through ``kubernetes exec pod``: | ||
|
||
1. Configure `RBAC authorization`_ in Kubernetes. | ||
|
||
2. Limit `access to the proxy subresource of Nodes`_. | ||
|
||
References | ||
---------- | ||
|
||
For more information about namespace security, visit: | ||
|
||
- https://man7.org/linux/man-pages/man7/user_namespaces.7.html | ||
- https://man7.org/linux/man-pages/man1/nsenter.1.html | ||
- https://man7.org/linux/man-pages/man2/setns.2.html | ||
|
||
.. _kubernetes exec pod: https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/ | ||
.. _exec into pods: https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/ | ||
.. _RBAC authorization: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ | ||
.. _access to the proxy subresource of Nodes: https://kubernetes.io/docs/concepts/security/rbac-good-practices/#access-to-proxy-subresource-of-nodes |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -1060,6 +1060,7 @@ virtIO | |
virtio | ||
virtualbox | ||
virtualization | ||
virtualized | ||
vlan | ||
vlanBypass | ||
vmlinux | ||
|