github.com/cilium/cilium@v1.16.2/Documentation/security/restrict-pod-access.rst

github.com/cilium/cilium@v1.16.2/Documentation/security/restrict-pod-access.rst (about)

     1  .. only:: not (epub or latex or html)
     2  
     3      WARNING: You are looking at unreleased Cilium documentation.
     4      Please use the official rendered version released here:
     5      https://docs.cilium.io
     6  
     7  .. _security_restrict_pod_access:
     8  
     9  ========================================
    10  Restricting privileged Cilium pod access
    11  ========================================
    12  
    13  This page shows you how to restrict privileged access to Cilium pods by limiting access from the Kubernetes API, specifically from `kubernetes exec pod`_.
    14  
    15  .. include:: gsg_requirements.rst
    16  
    17  Background
    18  ----------
    19  
    20  The Cilium agent needs some specific Linux capabilities to perform essential system and network operations.
    21  
    22  Cilium relies on Kubernetes and containers to set up the environment and mount the corresponding volumes. Cilium doesn't perform any extra operations that could result in an unsafe volume mount. 
    23  
    24  Cilium needs kernel interfaces to properly configure the environment. Some kernel interfaces are part of the ``/proc`` filesystem, which includes host and machine configurations that can't be virtualized or namespaced.
    25  
    26  If ``pod exec`` operations aren't restricted, then remote `exec into pods`_ and containers defeats Linux namespace restrictions.
    27  
    28  The Linux kernel restricts joining other namespaces by default. To enter the Cilium container, the ``CAP_SYS_ADMIN`` capability is required in both the current user namespace and in the Cilium user namespace (the initial namespace). If both namespaces have the ``CAP_SYS_ADMIN`` capability, then this is already a privileged access.
    29  
    30  To prevent privileged access to Cilium pods, restrict access to the Kubernetes API and arbitrary ``pod exec`` operations.
    31  
    32  Restrict authorization for ``kubernetes exec pod``
    33  --------------------------------------------------
    34  
    35  To restrict access to Cilium pods through ``kubernetes exec pod``:
    36  
    37  1. Configure `RBAC authorization`_ in Kubernetes.
    38  
    39  2. Limit `access to the proxy subresource of Nodes`_.
    40  
    41  References
    42  ----------
    43  
    44  For more information about namespace security, visit:
    45  
    46  - https://man7.org/linux/man-pages/man7/user_namespaces.7.html
    47  - https://man7.org/linux/man-pages/man1/nsenter.1.html
    48  - https://man7.org/linux/man-pages/man2/setns.2.html
    49  
    50  .. _kubernetes exec pod: https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/
    51  .. _exec into pods: https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/
    52  .. _RBAC authorization: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
    53  .. _access to the proxy subresource of Nodes: https://kubernetes.io/docs/concepts/security/rbac-good-practices/#access-to-proxy-subresource-of-nodes