Linkerd without CNI - run as non-root #5505
Comments
|
Hey @pankajmt! If we could run the proxy-init container as non-root but still with the appropriate net capabilities, we'd be open to it. As far as I know, no one has tried this so I'm not totally sure if it is possible or not. If you are interested in working on this, I'd love to take a look. |
|
ah yes, it would be the proxy-init container and not the proxy container to be precise. I might start looking into this today. |
|
Not much luck with attempt 1 See this in startup of linkerd control plane |
|
Not much luck with attempt 2 Updated Dockerfile to allow child processes inherit the capabilities too and also assign capabilities also to iptables binary. Same output. Wonder if iptables 1.8.2 legacy on debian buster is good enough. i see mentions buster also now has nftables, successor to iptables. |
|
Looks like I am able to run iptables commands in a pod without being root if the associated PSP in addition to capabilities NET_ADMIN and NET_RAW also has allowPrivilegeEscalation: true Now as per https://kubernetes.io/docs/concepts/policy/pod-security-policy/, This bool directly controls whether the no_new_privs flag gets set on the container process. This flag will prevent setuid binaries from changing the effective user ID, and prevent files from enabling extra capabilities (e.g. it will prevent the use of the ping tool). This behavior is required to effectively enforce MustRunAsNonRoot. So, my understanding is, although not root, with your own binary, you can do things like root by including this in a docker image with setuid bit set or additional capabilities. so equally risky 👎 |
|
@pankajmt Thanks for the experimentation. To confirm, the only way you've found to have the proxy-init container to run as non-root is by setting |
|
Following linkerd control plane PSP changes allow iptables to run as NON root my docker image where I have this working atm is I am expecting the same result for proxy init container, but still to be verified. But I am now also wondering if the powers are still same as before. Run as Root with limited capabilities My experience with linux dates from setuid days, then there was a gap when all the capabilities model evolved. And I have been an applications person all along, never a OS geek :-) Plan to read more. |
Running as non-root seems to be always a better choice. Granting root means the process gets write access to all files though and no capabilities prevent that from my experiments. The allow privilege escalation is equivalent to |
|
The changes at linkerd/linkerd2-proxy-init#49 lead to an up and running linkerd without the need of However, for now I am stuck at the injected init containers which are currently not allowed to run :-) |
|
Requires for me the following changes in this repo for the controller: diff --git a/charts/partials/templates/_proxy-init.tpl b/charts/partials/templates/_proxy-init.tpl
index 32411552..93e23a37 100644
--- a/charts/partials/templates/_proxy-init.tpl
+++ b/charts/partials/templates/_proxy-init.tpl
@@ -44,8 +44,6 @@ securityContext:
privileged: false
{{- end }}
readOnlyRootFilesystem: true
- runAsNonRoot: false
- runAsUser: 0
terminationMessagePolicy: FallbackToLogsOnError
{{- if or (not .Values.cniEnabled) .Values.proxyInit.saMountPath }}
volumeMounts:And so I'm running completely as non-root :-) |
Linkerd proxy-init container is currently enforced to run as root. Removes hardcoding `runAsNonRoot: false` and `runAsUser: 0`. This way the container inherits the user ID from the proxy-init image instead which may allow to run as non-root. Validation should happen during the usual tests. Fixes linkerd#5505 Signed-off-by: Schlotter, Christian <christian.schlotter@daimler.com>
Linkerd proxy-init container is currently enforced to run as root. Removes hardcoding `runAsNonRoot: false` and `runAsUser: 0`. This way the container inherits the user ID from the proxy-init image instead which may allow to run as non-root. Validation should happen during the usual tests. Fixes linkerd#5505 Signed-off-by: Schlotter, Christian <christian.schlotter@daimler.com>
Linkerd proxy-init container is currently enforced to run as root. Removes hardcoding `runAsNonRoot: false` and `runAsUser: 0`. This way the container inherits the user ID from the proxy-init image instead which may allow to run as non-root. Validation should happen during the usual tests. Fixes linkerd#5505 Signed-off-by: Schlotter, Christian <christian.schlotter@daimler.com>
Linkerd proxy-init container is currently enforced to run as root. Removes hardcoding `runAsNonRoot: false` and `runAsUser: 0`. This way the container inherits the user ID from the proxy-init image instead which may allow to run as non-root. Validation should happen during the usual tests. Fixes linkerd#5505 Signed-off-by: Schlotter, Christian <christian.schlotter@daimler.com>
Linkerd proxy-init container is currently enforced to run as root. Removes hardcoding `runAsNonRoot: false` and `runAsUser: 0`. This way the container inherits the user ID from the proxy-init image instead which may allow to run as non-root. Validation should happen during the usual tests. Fixes linkerd#5505 Signed-off-by: Schlotter, Christian <christian.schlotter@daimler.com>
Linkerd proxy-init container is currently enforced to run as root. Removes hardcoding `runAsNonRoot: false` and `runAsUser: 0`. This way the container inherits the user ID from the proxy-init image instead which may allow to run as non-root. Fixes #5505 Signed-off-by: Schlotter, Christian <christian.schlotter@daimler.com>
Linkerd proxy-init container is currently enforced to run as root. Removes hardcoding `runAsNonRoot: false` and `runAsUser: 0`. This way the container inherits the user ID from the proxy-init image instead which may allow to run as non-root. Fixes #5505 Signed-off-by: Schlotter, Christian <christian.schlotter@daimler.com> (cherry picked from commit 9853353) Signed-off-by: Oliver Gould <ver@buoyant.io>
Linkerd proxy-init container is currently enforced to run as root. Removes hardcoding `runAsNonRoot: false` and `runAsUser: 0`. This way the container inherits the user ID from the proxy-init image instead which may allow to run as non-root. Fixes #5505 Signed-off-by: Schlotter, Christian <christian.schlotter@daimler.com> (cherry picked from commit 9853353) Signed-off-by: Oliver Gould <ver@buoyant.io>
Feature Request
What problem are you trying to solve?
We are not able to run Linkerd with CNI as another CNI we have in the chain does not play well with Linkerds. Hence we want to switch to Linkerd without CNI. But that needs our kube PSPs to allow
We are OK with the first two capabilities confined to the linkerd proxy binary without needing to run as root. That would be acceptable to InformationSecurity team at the place we are trying to run Linkerd. Is it possible to do that?
How should the problem be solved?
linkerd proxy container section added by mutation webhook will need to include something like
securityContext:
capabilities:
add:
- NET_RAW
- NET_ADMIN
the proxy image will need to be built with something like
RUN apt-get install libcap2-bin=1:2.25-2 -y --no-install-recommends
&& setcap 'cap_net_raw=+ep' \
&& setcap 'cap_net_admin=+ep'
What do you want to happen? Add any considered drawbacks.
Any alternatives you've considered?
Is there another way to solve this problem that isn't as good a solution?
Run all application workloads as Root which opens a big security hole
How would users interact with this feature?
If you can, explain how users will be able to use this. Maybe some sample CLI
output?
Kubernetes PSP for application workloads which needs to allow above two capabilities and can still require binary to NOT run as root
The text was updated successfully, but these errors were encountered: