Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Run kube-proxy in non-privileged mode for Kubernetes >= 1.29 #8700

Closed
ialidzhikov opened this issue Oct 27, 2023 · 3 comments · Fixed by #9000
Closed

Run kube-proxy in non-privileged mode for Kubernetes >= 1.29 #8700

ialidzhikov opened this issue Oct 27, 2023 · 3 comments · Fixed by #9000
Assignees
@shafeeqes
Labels
area/security Security related kind/enhancement Enhancement, improvement, extension

Comments

@ialidzhikov
Copy link
Member

ialidzhikov commented Oct 27, 2023
edited

How to categorize this issue?

/area security
/kind enhancement

What would you like to be added:
When I worked on the topic about running Pods in non-privileged mode, for kube-proxy I created kubernetes/kubernetes#112171. kubernetes/kubernetes#112171 is fixed by kubernetes/kubernetes#120864. Starting Kubernetes 1.29 it will be possible to run the long-running kube-proxy container as non-privileged.
For more details, see kubernetes/contributor-site#452.

The kube-proxy logic that requires to run in a privileged container is moved to an init container. From kubernetes/kubernetes#120864:

initContainers:
  - name: kube-proxy-init
    command:
    - /usr/local/bin/kube-proxy
    - --config=/var/lib/kube-proxy/config.conf
    - --init-only
    image: registry.k8s.io/kube-proxy:local
    imagePullPolicy: IfNotPresent
    securityContext:
      privileged: true
    volumeMounts:
    - mountPath: /var/lib/kube-proxy
      name: kube-proxy

And the main kube-proxy container runs with:

        securityContext:
          capabilities:
            add: ["NET_ADMIN", "SYS_RESOURCE"]

Why is this needed:
To run kube-proxy in non-privileged mode.

cc @dimityrmirchev @AleksandarSavchev
@gardener-prow gardener-prow bot added area/security Security related kind/enhancement Enhancement, improvement, extension labels Oct 27, 2023
@uablrek
Copy link

uablrek commented Oct 27, 2023

@ialidzhikov I have tested both ipvs and iptables with NET_ADMIN only, and it seems to work. Is there any case I have missed that requires SYS_RESOURCE ?

@shafeeqes
Copy link
Contributor

/assign

@shafeeqes shafeeqes mentioned this issue Jan 4, 2024
Merged
@ialidzhikov
Copy link
Member Author

ialidzhikov commented Jan 11, 2024
edited

@ialidzhikov I have tested both ipvs and iptables with NET_ADMIN only, and it seems to work. Is there any case I have missed that requires SYS_RESOURCE ?

See #9000 (comment). SYS_RESOURCE seems to be required. According to kubernetes/kubernetes#112171 (comment), SYS_RESOURCE was also required.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shafeeqes shafeeqes

Labels
area/security Security related kind/enhancement Enhancement, improvement, extension
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Run kube-proxy in non-privileged mode for Kubernetes >= 1.29 shafeeqes/gardener
3 participants
@ialidzhikov @shafeeqes @uablrek