Envoy allowPrivilegeEscalation. Is it needed?

Hello Team, I have a query.

Does envoy docker image used in the service mesh need privilege escalation ? I have been following up on latest beta releases for consul-k8s and I see that security context is enforced but privilege escalation is still allowed.

reference: consul-k8s/CHANGELOG.md at master · hashicorp/consul-k8s · GitHub

We have a security policy implemented in our k8s cluster that do not allow any containers to run in allow privilege escalation mode.

Can someone clarify if allow privilege escalation is needed or not ? If needed then in what circumstances that would be needed ?

Thanks

Hi @ashwinkupatkar! The priv escalation is required so that we can execute iptables commands inside the init container for transparent proxy. This runs as an init container and exits before the application starts so it should be less of a risk than if it were a long running task.

If you are not using tproxy then it will not add any additional privs.

1 Like

thanks for the reply @kschoche1. I understand it.

by tproxy you mean Transparent Proxy ?

another query - When are we expecting a GA for consul-k8s-0.26.0 ?

Sorry for the confusion, I meant transparent proxy! :slight_smile:

We don’t have a public release date yet but are targeting in the next month or so.

1 Like