mirror of https://github.com/linkerd/linkerd2.git
faf0ff62f7
Closes #9676 This adds the `pod-security.kubernetes.io/enforce` label as described in [Pod Security Admission labels for namespaces](https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-admission-labels-for-namespaces). PSA gives us three different possible values (policies or modes): [privileged, baseline and restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/). For non-CNI mode, the proxy-init container relies on granting the NET_RAW and NET_ADMIN capabilities, which places those pods under the `restricted` policy. OTOH for CNI mode we can enforce the `restricted` policy, by setting some defaults on the containers' `securityContext` as done in this PR. Also note this change also adds the `cniEnabled` entry in the `values.yaml` file for all the extension charts, which determines what policy to use. Final note: this includes the fix from #9717, otherwise an empty gateway UID prevents the pod to be created under the `restricted` policy. ## How to test As this is only enforced as of k8s 1.25, here are the instructions to run 1.25 with k3d using Calico as CNI: ```bash # launch k3d with k8s v1.25, with no flannel CI $ k3d cluster create --image='+v1.25' --k3s-arg '--disable=local-storage,metrics-server@server:0' --no-lb --k3s-arg --write-kubeconfig-mode=644 --k3s-arg --flannel-backend=none --k3s-arg --cluster-cidr=192.168.0.0/16 --k3s-arg '--disable=servicelb,traefik@server:0' # install Calico $ k apply -f https://k3d.io/v5.1.0/usage/advanced/calico.yaml # load all the images $ bin/image-load --k3d proxy controller policy-controller web metrics-api tap cni-plugin jaeger-webhook # install linkerd-cni $ bin/go-run cli install-cni|k apply -f - # install linkerd-crds $ bin/go-run cli install --crds|k apply -f - # install linkerd-control-plane in CNI mode $ bin/go-run cli install --linkerd-cni-enabled|k apply -f - # Pods should come up without issues. You can also try the viz and jaeger extensions. # Try removing one of the securityContext entries added in this PR, and the Pod # won't come up. You should be able to see the PodSecurity error in the associated # ReplicaSet. ``` To test the multicluster extension using CNI, check this [gist](https://gist.github.com/alpeb/4cbbd5ad87538b9e0d39a29b4e3f02eb) with a patch to run the multicluster integration test with CNI in k8s 1.25. |
||
|---|---|---|
| .. | ||
| cmd | ||
| flag | ||
| table | ||
| Dockerfile | ||
| main.go | ||