Add kube-proxy non-privileged blog post

[uablrek]

The post describes how the --init-only flag can be used to do privileged initialization in an initContainer, and run the main container with NET_ADMIN capabilities only

Moved to kubernetes/contributor-site#452

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign onlydole for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• content/en/blog/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[netlify]

✅ Pull request preview available for checking

Built without sensitive environment variables

Name	Link
🔨 Latest commit	efc6700
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/653a7fe382839b0008900dc3
😎 Deploy Preview	https://deploy-preview-43680--kubernetes-io-main-staging.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[sftim]

/sig network

[sftim]

Some early feedback.

/hold
pending assignment of a publication date

One thing I'd mention is that the narrowed kube-proxy Pod still only meets the privileged Pod security standard. There's still an improvement because the running container doesn't need to run privileged.

[sftim]

stricter securityContext.

[sftim]

Readers will expect this to take them to a guide, not an issue. I'd omit the link.

[danwinship]

maybe flip that around to put the cool part first: "can be used to run the main kube-proxy container in a stricter securityContext by performing the configuration that requires privileged mode in a separate initContainer"

[uablrek]

I also removed the "added in K8s v1.29", since it's now in the title.

[danwinship]

I would include the --hostname-override here as well. We know that it doesn't matter, but end users won't have a good sense of which options might matter and which ones don't, so they should just specify all the same options they specify for the real container.

[danwinship]

???

[uablrek]

Ah, this was where I intended to describe "User Namespaces", but they can't be used. I will remove the header

[danwinship]

That's very passive... you should either submit a patch to make kubeadm do it, or if not (or if there's not time to get it in for 1.29), at least file a bug against it suggesting they should, and then you can say "kubeadm will like be altered to use this feature in the future".

[uablrek]

Will do that tomorrow

[uablrek]

What is the practice about the commits accepted from a PR review? My intention is to squash them, but keep the "Co-authored-by:" part.

[uablrek]

One thing I'd mention is that the narrowed kube-proxy Pod still only meets the privileged Pod security standard. There's still an improvement because the running container doesn't need to run privileged.

@sftim
I must admit I wasn't aware of the Pod security standard until I read the User Namespaces blog yesterday. I will try to mention it in some way.

[neolit123]

best to include:

image: registry.k8s.io/kube-proxy:v1.28.2
imagePullPolicy: IfNotPresent

for both init and regular containers in the example.
maybe, replace v1.28.2 with a VERSION and add note.

[danwinship]

One thing I'd mention is that the narrowed kube-proxy Pod still only meets the privileged Pod security standard. There's still an improvement because the running container doesn't need to run privileged.

In theory you could run two separate pods, though that would be annoying in various ways (especially that there's no such thing as a run-once DaemonSet)...

We should figure out what can be done to make the situation better...

[danwinship]

@uablrek you should add something somewhere about this being Linux-only / not for Windows. (Maybe explaining that it's because k8s on Windows doesn't have the equivalent of capabilities, so there's no way to give the pod just a little bit of privilege).

[sftim]

Try this, which I think is a complete manifest.

Suggested change

	apiVersion: apps/v1
	kind: DaemonSet
	metadata:
	labels:
	k8s-app: kube-proxy
	spec:
	template:
	spec:
	initContainers:
	- name: kube-proxy-init
	command:
	- /usr/local/bin/kube-proxy
	- --config=/var/lib/kube-proxy/config.conf
	- --hostname-override=$(NODE_NAME)
	- --init-only
	securityContext:
	privileged: true
	containers:
	- name: kube-proxy
	command:
	- /usr/local/bin/kube-proxy
	- --config=/var/lib/kube-proxy/config.conf
	- --hostname-override=$(NODE_NAME)
	securityContext:
	capabilities:
	add: ["NET_ADMIN"]
	apiVersion: apps/v1
	kind: DaemonSet
	metadata:
	namespace: kube-system
	name: kube-proxy-linux
	labels:
	k8s-app: kube-proxy
	spec:
	selector:
	matchLabels:
	k8s-app: kube-proxy
	kubernetes.io/os: linux
	template:
	metadata:
	labels:
	k8s-app: kube-proxy
	kubernetes.io/os: linux
	annotations:
	kubernetes.io/description: >-
	Node-level network proxy; part of Kubernetes
	spec:
	tolerations:
	- key: node-role.kubernetes.io/control-plane
	effect: NoSchedule
	operator: Exists
	os: { name: linux } # On Windows, kube-proxy needs to run privileged
	# You will need a second DaemonSet if your cluster
	# includes Windows nodes
	nodeSelector:
	kubernetes.io/os: linux
	initContainers:
	- name: kube-proxy-init
	image: registry.k8s.io/kube-proxy:v1.28.2 # adjust this to the Kubernetes version you use
	imagePullPolicy: IfNotPresent
	# you should set resource requests here
	# see https://k8s.io/docs/concepts/configuration/manage-resources-containers/
	command:
	- /usr/local/bin/kube-proxy
	- --config=/var/lib/kube-proxy/config.conf
	- --hostname-override=$(NODE_NAME)
	- --init-only
	securityContext:
	privileged: true
	containers:
	- name: kube-proxy
	image: registry.k8s.io/kube-proxy:v1.28.2 # adjust this to the Kubernetes version you use
	imagePullPolicy: IfNotPresent
	# you should set resource requests here
	# see https://k8s.io/docs/concepts/configuration/manage-resources-containers/
	command:
	- /usr/local/bin/kube-proxy
	- --config=/var/lib/kube-proxy/config.conf
	- --hostname-override=$(NODE_NAME)
	securityContext:
	capabilities:
	add: ["NET_ADMIN"]
	terminationGracePeriodSeconds: 30

[sftim]

I guess this doesn't cover a ConfigMap though, and maybe we should talk about that.

[uablrek]

I disagree on this. The kubeadm maintainers, and others who really will use this, are totally capable of figuring out the exact procedure. IMHO the blog should give normal users an idea on what is done, not be a complete instruction. It should not be TL;DR; Besides, the kubeadm manifest is likely not the only one used

[uablrek]

The confirMap is not affected. --init-only is a CLI option only, it can't be configured in the config file

[sftim]

OK, but: every bit we miss out, let's clearly tell readers what's not there. We don't need to give all the details but let's make it very very obvious that this manifest is incomplete.

Even if we do all that, the website repo is likely to get issues filed by people who don't get it. Let's do what we reasonably can to minimize the rate of those issues.

[uablrek]

Updated.

It might be even more issues if we give the illusion that the manifests are complete, and are compatible with the ones the users may have (which may not be kubeadm generated).

[sftim]

So, on that: let's add a very clear note that this still isn't complete: nothing populates /var/lib/kube-proxy/config.conf.

[sftim]

Thanks, but I think we can safely assume that a good proportion of readers' eyes slip right past this and start at the manifest.

[sftim]

(we should keep the note here, but we should also make it clear in the example manifest about which details aren't included)

[sftim]

Following on from https://github.com/kubernetes/website/pull/43680/files#r1373331022

Another option: write a blog for https://k8s.dev/ that is aimed at a more informed audience.

If you write an article that is aimed at cluster lifecycle tool authors, you don't have to include a sample manifest marked as kind: DaemonSet, just some snippets.

---

The flip side though is that if we are writing on the Kubernetes blog, we need to write for an audience that includes people who'll copy and paste what we put here and then file an issue if it doesn't work. I want to control for that risk before the stream of issues turns up.

[uablrek]

A complete updated manifest would be something like in kubernetes/kubernetes#120864 (comment). In your example, the volume mounts seem to be missing. If anybody do a copy/paste on those, nothing would work.

@danwinship proposed a blog in kubernetes/kubernetes#120864 (comment),
but this may not be a post with a suitable level for Kubernetes blog.

Perhaps I should close this PR, and a better option would be that a kubeadm maintainer write a blog post when this feature is supported by kubeadm?

[sftim]

Perhaps I should close this PR, and a better option would be that a kubeadm maintainer write a blog post when this feature is supported by kubeadm?

It's good to announce the feature at around the time we add it. If you're willing to shift this writeup to https://k8s.dev/blog - https://github.com/kubernetes/contributor-site - then we don't have to worry much about people expecting working YAML. The contributor blog has fewer readers and different expectations.

So that's one good option; another good option is to explain how to set up kube-proxy the new way. That kind of detail is an unmet need: we tell people that kubeadm can set things up for them, but if they want to learn how to do it by hand they are largely on their own (I can explain why - maybe on Slack? - if you'd like more context).
The trouble is that if we make a blog article that looks like advice on deploying kube-proxy, I really think it needs to explain what readers are hoping to find. Even if that isn't the same as what we / you had set out to write.

You can still pick, but from a smaller set of choices than you might like. I'd prefer an article that explains kube-proxy setup for Linux the new recommended way. If that's not on the cards, then an article on https://k8s.dev/blog feels like a good second place option.

[uablrek]

I will move to https://k8s.dev/blog. I think it requires more understanding than copy/paste to update the kube-proxy manifest and get it right, even if a complete manifest is given as an example. It isn't really hard to do one time in KinD for example, but to maintain it in a live cluster, without help from kubeadm, requires skill.

I think it's better to keep this for experienced users and developers of installation tools for now. It can be brought to a broader audience when support in kubeadm exists.

[uablrek]

This PR is moved to kubernetes/contributor-site#452

[uablrek]

@sftim Thanks a lot for your input. I have already received a query on that image to use for this, so the copy/paste syndrome is very real. I wasn't aware, and I guess you would be the one taking the hit 😄

[sftim]

kubernetes/contributor-site#452 is merged.