New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow for operation on clusters that restrict NET_ADMIN #1887
Comments
Great to see this picked up! If you need testers let me know... In my opinion, even if it is not required, skipping root images and avoiding cap_net_admin priviledges is always a good thing and should be the default. Or are there any downsides other than deploying a deamonset for management? |
@mmack there are definitely tradeoffs. After digging into this some more, it looks like going the CNI route is more sustainable than a daemonset controller (for obvious sync reasons). Unfortunately, not every environment lets you add a new CNI plugin. Ideally, this would be the default though, just need to make sure it works in most cases and has clear guard rails. Some |
@grampelberg so the plan is to add a second CNI? My primary is calico atm... |
@mmack that looks like the best solution I can find so far. You add a new CNI plugin to the chain that simply sets the iptables rules up (and cleans them up on teardown). |
CNI plugin
Some things to pay attention to:
Potential solution:
DaemonSet for installationBefore including this as part of the
|
Feature Request
What problem are you trying to solve?
Many production clusters are locked down and do not allow arbitrary pods to have
cap_net_admin
. This makes it, unfortunately, impossible to use linkerd in these environments.How should the problem be solved?
It would be nice to have an option (addon?) that does the iptables configuration outside of a pod's initContainer. This would allow an operator with elevated privileges to add the solution to the cluster and have arbitrary pods have minimal privileges.
A good solution would be creating a CNI plugin that does the iptables setup. A DaemonSet would be added to the cluster which adds the CNI plugin to the set. Each time a pod is scheduled, the iptables rules would be added as part of network setup. This allows for them to be in place when the pod starts up (there might be some oddities with initContainers?).
Take a look at istio/cni for some good previous work.
Any alternatives you've considered?
How would users interact with this feature?
This should be optional and not default. It would be an awesome use of addons:
There are definitely some big open questions about the interactions between this and things like the auto-inject feature.
The text was updated successfully, but these errors were encountered: