Run Calico node as non-privileged and non-root
Big picture
Run long-lived Calico components in non-privileged and non-root containers.
Value
Running Calico in non-privileged and non-root mode is an option for users who want to secure Calico as much as possible, and who do not care about Calico features beyond the basic Calico networking and network policy. The tradeoff for more security is the overhead of Calico networking management. For example, you no longer receive Calico corrections to misconfigurations caused by other components within your cluster, along with limited support for new features.
Concepts
To run Calico as securely as possible, long-running Calico components (for example calico/node), can be run without privileged and root permissions in their respective containers. Note that to set up these components, the init containers still need to run with privileged and root permissions, but the risk to cluster security is minimal because of the ephemeral nature of init containers.
Supported
- Operator installation only.
Unsupported
- Calico Enterprise
- eBPF dataplane
- WorkloadSourceSpoofing felix option and the related
cni.projectcalico.org/allowedSourcePrefixes
annotation
note
Support for features added after Calico v3.21 is not guaranteed.
How to
Follow the Tigera Calico operator installation instructions. If you have already installed the operator, skip to the next step.
Edit the Calico installation to set the
nonPrivileged
field toEnabled
.kubectl edit installation default
Your installation resource should look similar to the following:
apiVersion: operator.tigera.io/v1
kind: Installation
metadata:
name: default
spec:
calicoNetwork:
bgp: Enabled
hostPorts: Enabled
ipPools:
- blockSize: 26
cidr: 192.168.0.0/16
encapsulation: VXLANCrossSubnet
natOutgoing: Enabled
nodeSelector: all()
linuxDataplane: Iptables
multiInterfaceMode: None
nodeAddressAutodetectionV4:
firstFound: true
cni:
ipam:
type: Calico
type: Calico
controlPlaneReplicas: 2
flexVolumePath: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/
nodeUpdateStrategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
nonPrivileged: Enabled
variant: Calico
The
calico-node
pods in thecalico-system
namespace should now restart. Verify that they restart properly.watch kubectl get pods -n calico-system
Calico should now be running calico-node
in non-privileged and non-root containers.