-
Notifications
You must be signed in to change notification settings - Fork 14k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add kube-proxy non-privileged blog post #43680
Conversation
The post describes how the --init-only flag can be used to do privileged initialization in an initContainer, and run the main container with NET_ADMIN capabilities only
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
✅ Pull request preview available for checkingBuilt without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site configuration. |
/sig network |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some early feedback.
/hold
pending assignment of a publication date
One thing I'd mention is that the narrowed kube-proxy Pod still only meets the privileged Pod security standard. There's still an improvement because the running container doesn't need to run privileged.
This post describes how the `--init-only` flag added in K8s v1.29 can | ||
be used to perform configuration that requires privileged mode in an | ||
initContainer, while the main `kube-proxy` container may run with a | ||
stricter securityContext. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
stricter securityContext
.
privileged mode. Security aware users wants to [use capabilities instead]( | ||
https://github.com/kubernetes/kubernetes/issues/112171). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Readers will expect this to take them to a guide, not an issue. I'd omit the link.
Co-authored-by: Tim Bannister <tim@scalefactory.com>
Co-authored-by: Tim Bannister <tim@scalefactory.com>
Co-authored-by: Tim Bannister <tim@scalefactory.com>
Co-authored-by: Tim Bannister <tim@scalefactory.com>
Co-authored-by: Tim Bannister <tim@scalefactory.com>
Co-authored-by: Tim Bannister <tim@scalefactory.com>
Co-authored-by: Tim Bannister <tim@scalefactory.com>
This post describes how the `--init-only` flag to `kube-proxy`, added in K8s v1.29, can | ||
be used to perform configuration that requires privileged mode in an | ||
initContainer, while the main `kube-proxy` container may run with a | ||
stricter securityContext. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe flip that around to put the cool part first: "can be used to run the main kube-proxy container in a stricter securityContext by performing the configuration that requires privileged mode in a separate initContainer"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I also removed the "added in K8s v1.29", since it's now in the title.
command: | ||
- /usr/local/bin/kube-proxy | ||
- --config=/var/lib/kube-proxy/config.conf | ||
- --init-only |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would include the --hostname-override
here as well. We know that it doesn't matter, but end users won't have a good sense of which options might matter and which ones don't, so they should just specify all the same options they specify for the real container.
## Improve security even more | ||
|
||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
???
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, this was where I intended to describe "User Namespaces", but they can't be used. I will remove the header
`NET_ADMIN` capabilities only. Installers like `kubeadm` may be | ||
altered to use this feature. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's very passive... you should either submit a patch to make kubeadm do it, or if not (or if there's not time to get it in for 1.29), at least file a bug against it suggesting they should, and then you can say "kubeadm will like be altered to use this feature in the future".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will do that tomorrow
Co-authored-by: Dan Winship <danwinship@redhat.com>
Co-authored-by: Dan Winship <danwinship@redhat.com>
Co-authored-by: Dan Winship <danwinship@redhat.com>
What is the practice about the commits accepted from a PR review? My intention is to squash them, but keep the "Co-authored-by:" part. |
@sftim |
k8s-app: kube-proxy | ||
spec: | ||
template: | ||
spec: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
best to include:
image: registry.k8s.io/kube-proxy:v1.28.2
imagePullPolicy: IfNotPresent
for both init and regular containers in the example.
maybe, replace v1.28.2
with a VERSION
and add note.
In theory you could run two separate pods, though that would be annoying in various ways (especially that there's no such thing as a run-once DaemonSet)... We should figure out what can be done to make the situation better... |
@uablrek you should add something somewhere about this being Linux-only / not for Windows. (Maybe explaining that it's because k8s on Windows doesn't have the equivalent of |
apiVersion: apps/v1 | ||
kind: DaemonSet | ||
metadata: | ||
labels: | ||
k8s-app: kube-proxy | ||
spec: | ||
template: | ||
spec: | ||
initContainers: | ||
- name: kube-proxy-init | ||
command: | ||
- /usr/local/bin/kube-proxy | ||
- --config=/var/lib/kube-proxy/config.conf | ||
- --hostname-override=$(NODE_NAME) | ||
- --init-only | ||
securityContext: | ||
privileged: true | ||
containers: | ||
- name: kube-proxy | ||
command: | ||
- /usr/local/bin/kube-proxy | ||
- --config=/var/lib/kube-proxy/config.conf | ||
- --hostname-override=$(NODE_NAME) | ||
securityContext: | ||
capabilities: | ||
add: ["NET_ADMIN"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Try this, which I think is a complete manifest.
apiVersion: apps/v1 | |
kind: DaemonSet | |
metadata: | |
labels: | |
k8s-app: kube-proxy | |
spec: | |
template: | |
spec: | |
initContainers: | |
- name: kube-proxy-init | |
command: | |
- /usr/local/bin/kube-proxy | |
- --config=/var/lib/kube-proxy/config.conf | |
- --hostname-override=$(NODE_NAME) | |
- --init-only | |
securityContext: | |
privileged: true | |
containers: | |
- name: kube-proxy | |
command: | |
- /usr/local/bin/kube-proxy | |
- --config=/var/lib/kube-proxy/config.conf | |
- --hostname-override=$(NODE_NAME) | |
securityContext: | |
capabilities: | |
add: ["NET_ADMIN"] | |
apiVersion: apps/v1 | |
kind: DaemonSet | |
metadata: | |
namespace: kube-system | |
name: kube-proxy-linux | |
labels: | |
k8s-app: kube-proxy | |
spec: | |
selector: | |
matchLabels: | |
k8s-app: kube-proxy | |
kubernetes.io/os: linux | |
template: | |
metadata: | |
labels: | |
k8s-app: kube-proxy | |
kubernetes.io/os: linux | |
annotations: | |
kubernetes.io/description: >- | |
Node-level network proxy; part of Kubernetes | |
spec: | |
tolerations: | |
- key: node-role.kubernetes.io/control-plane | |
effect: NoSchedule | |
operator: Exists | |
os: { name: linux } # On Windows, kube-proxy needs to run privileged | |
# You will need a second DaemonSet if your cluster | |
# includes Windows nodes | |
nodeSelector: | |
kubernetes.io/os: linux | |
initContainers: | |
- name: kube-proxy-init | |
image: registry.k8s.io/kube-proxy:v1.28.2 # adjust this to the Kubernetes version you use | |
imagePullPolicy: IfNotPresent | |
# you should set resource requests here | |
# see https://k8s.io/docs/concepts/configuration/manage-resources-containers/ | |
command: | |
- /usr/local/bin/kube-proxy | |
- --config=/var/lib/kube-proxy/config.conf | |
- --hostname-override=$(NODE_NAME) | |
- --init-only | |
securityContext: | |
privileged: true | |
containers: | |
- name: kube-proxy | |
image: registry.k8s.io/kube-proxy:v1.28.2 # adjust this to the Kubernetes version you use | |
imagePullPolicy: IfNotPresent | |
# you should set resource requests here | |
# see https://k8s.io/docs/concepts/configuration/manage-resources-containers/ | |
command: | |
- /usr/local/bin/kube-proxy | |
- --config=/var/lib/kube-proxy/config.conf | |
- --hostname-override=$(NODE_NAME) | |
securityContext: | |
capabilities: | |
add: ["NET_ADMIN"] | |
terminationGracePeriodSeconds: 30 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess this doesn't cover a ConfigMap though, and maybe we should talk about that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I disagree on this. The kubeadm maintainers, and others who really will use this, are totally capable of figuring out the exact procedure. IMHO the blog should give normal users an idea on what is done, not be a complete instruction. It should not be TL;DR; Besides, the kubeadm manifest is likely not the only one used
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The confirMap is not affected. --init-only
is a CLI option only, it can't be configured in the config file
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, but: every bit we miss out, let's clearly tell readers what's not there. We don't need to give all the details but let's make it very very obvious that this manifest is incomplete.
Even if we do all that, the website repo is likely to get issues filed by people who don't get it. Let's do what we reasonably can to minimize the rate of those issues.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated.
It might be even more issues if we give the illusion that the manifests are complete, and are compatible with the ones the users may have (which may not be kubeadm generated).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So, on that: let's add a very clear note that this still isn't complete: nothing populates /var/lib/kube-proxy/config.conf
.
Co-authored-by: Tim Bannister <tim@scalefactory.com>
*The example manifests below are not complete, but narrowed down to what is | ||
essential to illustrate the function.* |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, but I think we can safely assume that a good proportion of readers' eyes slip right past this and start at the manifest.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(we should keep the note here, but we should also make it clear in the example manifest about which details aren't included)
Following on from https://github.com/kubernetes/website/pull/43680/files#r1373331022 Another option: write a blog for https://k8s.dev/ that is aimed at a more informed audience. If you write an article that is aimed at cluster lifecycle tool authors, you don't have to include a sample manifest marked as The flip side though is that if we are writing on the Kubernetes blog, we need to write for an audience that includes people who'll copy and paste what we put here and then file an issue if it doesn't work. I want to control for that risk before the stream of issues turns up. |
A complete updated manifest would be something like in kubernetes/kubernetes#120864 (comment). In your example, the volume mounts seem to be missing. If anybody do a copy/paste on those, nothing would work. @danwinship proposed a blog in kubernetes/kubernetes#120864 (comment), Perhaps I should close this PR, and a better option would be that a kubeadm maintainer write a blog post when this feature is supported by kubeadm? |
It's good to announce the feature at around the time we add it. If you're willing to shift this writeup to https://k8s.dev/blog - https://github.com/kubernetes/contributor-site - then we don't have to worry much about people expecting working YAML. The contributor blog has fewer readers and different expectations. So that's one good option; another good option is to explain how to set up You can still pick, but from a smaller set of choices than you might like. I'd prefer an article that explains |
I will move to https://k8s.dev/blog. I think it requires more understanding than copy/paste to update the kube-proxy manifest and get it right, even if a complete manifest is given as an example. It isn't really hard to do one time in KinD for example, but to maintain it in a live cluster, without help from I think it's better to keep this for experienced users and developers of installation tools for now. It can be brought to a broader audience when support in |
This PR is moved to kubernetes/contributor-site#452 |
@sftim Thanks a lot for your input. I have already received a query on that image to use for this, so the copy/paste syndrome is very real. I wasn't aware, and I guess you would be the one taking the hit 😄 |
kubernetes/contributor-site#452 is merged. |
The post describes how the --init-only flag can be used to do privileged initialization in an initContainer, and run the main container with NET_ADMIN capabilities only
Moved to kubernetes/contributor-site#452