Linkerd 2.10(Step by Step) - Linkerd and Pod Security Policy (PSP)

Linkerd 2.10 series

Linkerd v2.10 Service Mesh
Tencent Cloud K8S deployment Service Mesh — Linkerd2 & Traefik2 deployment emojivoto application
Learn about the basic features of Linkerd 2.10 and step into the era of Service Mesh
Linkerd 2.10 – Add your service to Linkerd
Linkerd 2.10 — Automated Canary release
Linkerd 2.10 — Automatic rotation controls plane TLS and Webhook TLS credentials
Linkerd 2.10 — How do I configure external Prometheus instances
Linkerd 2.10 – Configure proxy concurrency
Linkerd 2.10 – Configure retry
Linkerd 2.10 — Configure timeout
Linkerd 2.10 – Controls the plane debug endpoint
Linkerd 2.10 – Use Kustomize to customize Linkerd configuration
Linkerd 2.10 — Use Linkerd for distributed tracing
Linkerd 2.10 — Debug 502S
Linkerd 2.10 – Debug HTTP applications using each routing metric
Linkerd 2.10 – Debug gRPC applications using request tracing
Linkerd 2.10 — Export metrics
Linkerd 2.10 — Expose Dashboard
Linkerd 2.10 – Generate your own mTLS root certificate
Linkerd 2.10 – Gets metrics for each route
Linkerd 2.10 — Injection failures for chaos engineering
Linkerd 2.10 — Elegant Pod shutdown
2.10 – Linkerd Ingress traffic

Linkerd 2.10 中文版

linkerd.hacker-linner.com

The Linkerd control plane comes with its own minimum privilege Pod Security Policy and associated RBAC resources. This Pod security policy is enforced only when PodSecurityPolicy Admission Controller is enabled.

To see the definition of the Pod security policy for the control plane, run:

kubectl describe psp -l linkerd.io/control-plane-ns=linkerd
Copy the code

Adjust the values of the above labels to match the namespace of your control plane.

Note that in order to minimize the attack surface, all Linux features except NET_ADMIN and NET_RAW have been removed from the Pod security policy for the control plane. These capabilities provide runtime privileges to the proxy-init init container to override the POD’s IPtable. Note that adding these capabilities to a Pod security policy does not make a container a privileged container. Control plane Pod security policy using allowPrivilegeEscalation: false strategy to prevent container ring. For the full meaning of the NET_ADMIN and NET_RAW features, see the Linux Features Manual.

If your environment does not allow you to run containers with the ability to upgrade Linux, you can install Linkerd using the CNI Plugin that does not require NET_ADMIN and NET_RAW capabilities.

Linkerd does not provide any default Pod security policies for the data plane, as these policies will vary depending on the security requirements of your application. The security context requirements of the Linkerd agent Sidecar container are very similar to those defined in the CONTROL plane’s Pod security policy.

For example, the following Pod security policies and RBAC will be used with the injected Emojivoto Demo application:

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: linkerd-emojivoto-data-plane
spec:
  allowPrivilegeEscalation: false
  fsGroup:
    ranges:
    - max: 65535
      min: 10001
    rule: MustRunAs
  readOnlyRootFilesystem: true
  allowedCapabilities:
  - NET_ADMIN
  - NET_RAW
  - NET_BIND_SERVICE
  requiredDropCapabilities:
  - ALL
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    ranges:
    - max: 65535
      min: 10001
    rule: MustRunAs
  volumes:
  - configMap
  - emptyDir
  - projected
  - secret
  - downwardAPI
  - persistentVolumeClaim
---

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: emojivoto-psp
  namespace: emojivoto
rules:
- apiGroups: ['policy'.'extensions']
  resources: ['podsecuritypolicies']
  verbs: ['use']
  resourceNames: ['linkerd-emojivoto-data-plane']
---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: emojivoto-psp
  namespace: emojivoto
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: emojivoto-psp
subjects:
- kind: ServiceAccount
  name: default
  namespace: emojivoto
- kind: ServiceAccount
  name: emoji
  namespace: emojivoto
- kind: ServiceAccount
  name: voting
  namespace: emojivoto
- kind: ServiceAccount
  name: web
  namespace: emojivoto
Copy the code

Note that the Linkerd agent only needs NET_ADMIN and NET_RAW functionality when it runs without Linkerd CNI, and it runs with UID 2102.

I am weishao wechat: uuhells123 public number: hackers afternoon tea add my wechat (mutual learning exchange), pay attention to the public number (for more learning materials ~)Copy the code

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

Linkerd 2.10(Step by Step) — Linkerd and Pod Security Policy (PSP)

Linkerd 2.10 series

Linkerd 2.10(Step by Step) — Linkerd and Pod Security Policy (PSP)

Linkerd 2.10 series

Related Posts

(Essence) Permission of VUE directive dated July 17, 2020

Decodes Django session data in PostgreSQL

Us tech giants such as Apple and Microsoft are demanding government subsidies for chip manufacturing