Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CFP: cilium connectivity test to support dropping capabilities #2265

Open
blackliner opened this issue Jan 22, 2024 · 2 comments
Open

CFP: cilium connectivity test to support dropping capabilities #2265

blackliner opened this issue Jan 22, 2024 · 2 comments
Labels
help wanted Extra attention is needed kind/community-report This was reported by a user in the Cilium community, eg via Slack. kind/enhancement This would improve or streamline existing functionality.

Comments

@blackliner
Copy link

Cilium Feature Proposal

Thanks for taking time to make a feature proposal for Cilium! If you have usage questions, please try the slack channel and see the FAQ first.

Is your proposed feature related to a problem?
It is currently not possible to run cilium connectivity test when admissionControl PodSecurity enforces anything above privileged. This is the case for Talos by default, see https://www.talos.dev/v1.6/kubernetes-guides/configuration/pod-security/

You will get errors like these for the DaemonSets (and no Pods will be created):

pods "host-netns-9bz74" is forbidden: violates PodSecurity "baseline:latest": non-default capabilities (container "host-netns" must not include "NET_RAW" in securityContext.capabilities.add), host namespaces (hostNetwork=true)

or

(container "echo-external-node" must set securityContext.capabilities.drop=["ALL"]; container "echo-external-node" must not include "NET_RAW" in securityContext.capabilities.add)

Describe the feature you'd like

Command line arguments like we have them for the helm chart (securityContext.capabilities.cleanCiliumState and securityContext.capabilities.ciliumAgent) when running cilium connectivity test

Alternative is to disable enforcement for the namespace:

kubectl label namespace cilium-test pod-security.kubernetes.io/enforce=privileged
@blackliner blackliner added the kind/feature New feature or request label Jan 22, 2024
@joestringer joestringer changed the title CFP: cilium connectivity test to support dropping CFP: cilium connectivity test to support dropping capabilities Jan 22, 2024
@squeed
Copy link
Contributor

squeed commented Jan 26, 2024

This is a great suggestion! We should totally thin down the set of privileges required by the connectivity test pods.

@squeed
Copy link
Contributor

squeed commented Jan 26, 2024

FYI, I'm moving this issue over to the https://github.com/cilium/cilium-cli/ repository.

@squeed squeed closed this as not planned Won't fix, can't repro, duplicate, stale Jan 26, 2024
@squeed squeed reopened this Jan 26, 2024
@squeed squeed transferred this issue from cilium/cilium Jan 26, 2024
@squeed squeed added help wanted Extra attention is needed kind/community-report This was reported by a user in the Cilium community, eg via Slack. kind/enhancement This would improve or streamline existing functionality. and removed kind/feature New feature or request labels Jan 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Extra attention is needed kind/community-report This was reported by a user in the Cilium community, eg via Slack. kind/enhancement This would improve or streamline existing functionality.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@squeed @blackliner