Using PSP
The Linkerd control plane comes with its own minimally privilegedPod Security Policyand the associated RBAC resources. This Pod Security Policy is enforced only ifthe PodSecurityPolicy
admission controller is enabled.
To view the definition of the control plane’s Pod Security Policy, run:
kubectl describe psp -l linkerd.io/control-plane-ns=linkerd
Adjust the value of the above label to match your control plane’s namespace.
Notice that to minimize attack surface, all Linux capabilities are dropped fromthe control plane’s Pod Security Policy, with the exception of the NET_ADMIN
and NET_RAW
capabilities. These capabilties provide the proxy-init
initcontainer with runtime privilege to rewrite the pod’s iptable
. Note that addingthese capabilities to the Pod Security Policy doesn’t make the container aprivileged
container. The control plane’s Pod Security Policy prevents container privilegeescalation with the allowPrivilegeEscalation: false
policy. To understand thefull implication of the NET_ADMIN
and NET_RAW
capabilities, refer to theLinux capabilities manual.
More information on the iptables
rules used by the proxy-init
initcontainer can be found on the Architecturepage.
If your environment disallows the operation of containers with escalated Linuxcapabilities, Linkerd can be installed with its CNI plugin,which doesn’t require the NET_ADMIN
and NET_RAW
capabilities.
Linkerd doesn’t provide any default Pod Security Policy for the data planebecause the policies will vary depending on the security requirements of yourapplication. The security context requirement for the Linkerd proxy sidecarcontainer will be very similar to that defined in the control plane’s PodSecurity Policy.
For example, the following Pod Security Policy and RBAC will work with the injectedemojivoto
demo application:
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: linkerd-emojivoto-data-plane
spec:
allowPrivilegeEscalation: false
fsGroup:
ranges:
- max: 65535
min: 10001
rule: MustRunAs
readOnlyRootFilesystem: true
allowedCapabilities:
- NET_ADMIN
- NET_RAW
- NET_BIND_SERVICE
requiredDropCapabilities:
- ALL
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
ranges:
- max: 65535
min: 10001
rule: MustRunAs
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
- persistentVolumeClaim
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: emojivoto-psp
namespace: emojivoto
rules:
- apiGroups: ['policy','extensions']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames: ['linkerd-emojivoto-data-plane']
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: emojivoto-psp
namespace: emojivoto
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: emojivoto-psp
subjects:
- kind: ServiceAccount
name: default
namespace: emojivoto
- kind: ServiceAccount
name: emoji
namespace: emojivoto
- kind: ServiceAccount
name: voting
namespace: emojivoto
- kind: ServiceAccount
name: web
namespace: emojivoto
Note that the Linkerd proxy only requires the NET_ADMIN
and NET_RAW
capabilities, and it’s run with UID 2102
. The NET_BIND_SERVICE
capability isneeded by the web
application because its container binds to port 80.