Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

agent: install CNI plugin binary in an InitContainer #24075

Merged
merged 1 commit into from Mar 11, 2023

Conversation

squeed
Copy link
Contributor

@squeed squeed commented Feb 28, 2023

This reduces the potential security surface of the agent by removing the bind-mount of /opt/cni/bin. Instead, write the binaries once in an initContainer.

There is no currently known vulnerability exploiting this, but it's good practice to remove as many long-running host mounts as possible. This could be a potential further exploit vector if an agent were to be compromised.

@squeed squeed added area/cni Impacts the Container Networking Interface between Cilium and the orchestrator. release-note/misc This PR makes changes that have no direct user impact. labels Feb 28, 2023
@squeed squeed requested review from a team as code owners February 28, 2023 16:37
Copy link
Member

@gandro gandro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, I like it! One comment regarding Helm

@aanm
Copy link
Member

aanm commented Mar 10, 2023

/test

@ferozsalam ferozsalam added needs-backport/1.11 This PR / issue needs backporting to the v1.11 branch needs-backport/1.12 This PR / issue needs backporting to the v1.12 branch needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch and removed needs-backport/1.11 This PR / issue needs backporting to the v1.11 branch needs-backport/1.12 This PR / issue needs backporting to the v1.12 branch labels Mar 10, 2023
This reduces the potential security surface of the agent by removing the
bind-mount of /opt/cni/bin. Instead, write the binaries once in an
initContainer.

There is no currently known vulnerability exploiting this, but it's good
practice to remove as many long-running host mounts as possible. This
could be a potential further exploit vector if an agent were to be
compromized.

Signed-off-by: Casey Callendrello <cdc@isovalent.com>
@ferozsalam
Copy link
Contributor

/test

@ferozsalam
Copy link
Contributor

/test-1.24-5.4

@ferozsalam ferozsalam added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Mar 11, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from master in 1.13.1 Mar 11, 2023
@joestringer joestringer merged commit e1a4621 into cilium:master Mar 11, 2023
56 checks passed
@joestringer
Copy link
Member

joestringer commented Mar 12, 2023

It looks a little bit like this may have broken container initialization on master.

  Warning  Failed     3m31s                  kubelet, k8s2      Error: failed to start container "install-cni-binaries": Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "/install-plugin.sh": stat /install-plugin.sh: no such file or directory: unknown

EDIT: This may be just caused by unrebased PRs, sorry for the noise.

@ferozsalam ferozsalam added backport-pending/1.11 The backport for Cilium 1.12.x for this PR is in progress. and removed needs-backport/1.11 This PR / issue needs backporting to the v1.11 branch labels Mar 13, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot removed ready-to-merge This PR has passed all tests and received consensus from code owners to merge. labels Mar 13, 2023
@ferozsalam ferozsalam added backport-pending/1.12 The backport for Cilium 1.12.x for this PR is in progress. and removed needs-backport/1.12 This PR / issue needs backporting to the v1.12 branch labels Mar 13, 2023
@nebril nebril added backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. and removed backport-pending/1.12 The backport for Cilium 1.12.x for this PR is in progress. backport-pending/1.11 The backport for Cilium 1.12.x for this PR is in progress. needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch labels Mar 14, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.13 in 1.13.1 Mar 14, 2023
@nebril nebril added backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. and removed backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. labels Mar 14, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.13 to Backport done to v1.13 in 1.13.1 Mar 14, 2023
@bimmlerd bimmlerd added the affects/v1.10 This issue affects v1.10 branch label Mar 17, 2023
anthonyhaussman added a commit to anthonyhaussman/kops that referenced this pull request Apr 20, 2023
Starting cilium version `1.12.8` and to reduces the potential security surface of the agent, Cilium removes the bind-mount of `/opt/cni/bin` into the template.
Instead, write the binaries once in an initContainer.

Ref:
 - cilium/cilium#24075
anthonyhaussman added a commit to anthonyhaussman/kops that referenced this pull request Apr 20, 2023
Starting cilium version `1.12.8` and to reduces the potential security surface of the agent, Cilium removes the bind-mount of `/opt/cni/bin` into the template.
Instead, write the binaries once in an initContainer.

Ref:
 - cilium/cilium#24075
anthonyhaussman added a commit to backmarket-oss/kops that referenced this pull request Apr 20, 2023
Starting cilium version `1.12.8` and to reduces the potential security surface of the agent, Cilium removes the bind-mount of `/opt/cni/bin` into the template.
Instead, write the binaries once in an initContainer.

Ref:
 - cilium/cilium#24075
anthonyhaussman added a commit to backmarket-oss/kops that referenced this pull request Apr 20, 2023
Starting cilium version `1.12.8` and to reduces the potential security surface of the agent, Cilium removes the bind-mount of `/opt/cni/bin` into the template.
Instead, write the binaries once in an initContainer.

Ref:
 - cilium/cilium#24075
anthonyhaussman added a commit to backmarket-oss/kops that referenced this pull request Apr 20, 2023
Starting cilium version `1.12.8` and to reduces the potential security surface of the agent, Cilium removes the bind-mount of `/opt/cni/bin` into the template.
Instead, write the binaries once in an initContainer.

Ref:
 - cilium/cilium#24075
anthonyhaussman added a commit to anthonyhaussman/kops that referenced this pull request Apr 24, 2023
Starting cilium version `1.12.8` and to reduces the potential security surface of the agent, Cilium removes the bind-mount of `/opt/cni/bin` into the template.
Instead, write the binaries once in an initContainer.

Ref:
 - cilium/cilium#24075
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
affects/v1.10 This issue affects v1.10 branch area/cni Impacts the Container Networking Interface between Cilium and the orchestrator. backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. release-note/misc This PR makes changes that have no direct user impact.
Projects
No open projects
1.13.1
Backport done to v1.13
Development

Successfully merging this pull request may close these issues.

None yet

7 participants