hello,
I am deploying consul on kubernetes, gatekeeper is installed with policies which catch Privilege escalation and access to root file system with root user and block injection.
I am not administrator of kubernetes and I can’t manage policies.
But in order to test pluging CNI, I got a namespace exampted of gatekeeper’s control policies.
So I try to deploy with CNI plugin to avoid usage of privilege escalation and access to root file system with root user by consul-connect-inject-init.
# values.yaml
----
connectInject:
enabled: true
transparentProxy:
defaultEnabled: true
cni:
enabled: true
logLevel: debug
namespace: reserved-consul-cni
k8sAllowNamespaces:
\- consul-dev
controller:
enabled: true
global:
acls:
createReplicationToken: true
default_policy: deny
down_policy: extend-cache
manageSystemACLs: true
datacenter: kube-dev-dc1
federation:
createFederationSecret: false
enabled: false
image: hashicorp/consul:1.14.0
imageConsulDataplane: hashicorp/consul-dataplane:1.0.6
imageK8S: hashicorp/consul-k8s-control-plane:1.0.10
imagePullSecrets:
\- name: artifactory-cred
logJSON: true
logLevel: debug
name: consul
serverAdditionalDNSSANs:
\- consul-server.consul.svc.cluster.local
tls:
enableAutoEncrypt: true
enabled: true
verify: true
server:
replicas: 3
ui:
enabled: true
service:
port:
http: 80
https: 443
type: ClusterIP
I deploy consul on consul-dev namespace were is applied gatekeeper policies
and I deploy consul CNI plugin on reserved-consul-cni exampted to follow gatekeeper policies.
Deploment is ok.
cluster versions:
kubernetes v 1.22.9
helm chart 1.0.10
image: hashicorp/consul:1.14.0
imageConsulDataplane: hashicorp/consul-dataplane:1.0.6
imageK8S: hashicorp/consul-k8s-control-plane:1.0.10
Unless I’m mistaken, following documentation, if I use CNI plugin, consul-connect-inject-init will not need to use root user and read/write root filesystem, ridht?
from documentation, PR and docs :
- Consul on Kubernetes CNI Plugin in v1.13 : Consul 1.13 Introduces Cluster Peering
- how to enable CNI plugin : Enable transparent proxy mode | Consul | HashiCorp Developer
In my opinion CNI plugin role is to fix this issue : Transparent Proxy CNI Plug-in: escalated privileges required on Consul containers · Issue #635 · hashicorp/consul-k8s · GitHub
In some place I read :
By default, Consul generates a
connect-inject initcontainer as part of the Kubernetes Pod startup process. The container configures traffic redirection in the service mesh through the sidecar proxy. To configure redirection, the container requires elevated CAP_NET_ADMIN privileges, which may not be compatible with security policies in your organization.
so Privilege escalation and read-write root filesystem shouldn’t be needed?
When I try to deploy static-client and server as described here in tutorial I get that (like I didn’t deployed consul CNI pluging) :
admission webhook "validation.gatekeeper.sh" denied the request:
[psp-allow-privilege-escalation-container] Privilege escalation
container is not allowed: consul-connect-inject-init
[psp-allow-privilege-escalation-container] Privilege escalation
container is not allowed: consul-dataplane
[psp-readonlyrootfilesystem] only read-only root filesystem container is
allowed: consul-connect-inject-init
for dataplane I note that, I must to deploy consul 1.2.2 because in this release “control-plane: When using transparent proxy or CNI, reduced required permissions by setting privileged to false.”(Release v1.2.2 · hashicorp/consul-k8s · GitHub)
But for consul-connect-inject-init, what is wrong ?
Thank you in advance for your help.
Best regards.