Run Calico node as non-privileged and non-root

Big picture

Run long-lived Calico components in non-privileged and non-root containers.

Value

Running Calico in non-privileged and non-root mode is an option for users who want to secure Calico as much as possible, and who do not care about Calico features beyond the basic Calico networking and network policy. The tradeoff for more security is the overhead of Calico networking management. For example, you no longer receive Calico corrections to misconfigurations caused by other components within your cluster, along with limited support for new features.

Concepts

To run Calico as securely as possible, long-running Calico components (for example calico/node), can be run without privileged and root permissions in their respective containers. Note that to set up these components, the init containers still need to run with privileged and root permissions, but the risk to cluster security is minimal because of the ephemeral nature of init containers.

Supported

  • Operator installation only.

Unsupported

  • Calico Enterprise
  • eBPF dataplane
  • WorkloadSourceSpoofing felix option and the related cni.projectcalico.org/allowedSourcePrefixes annotation

Run Calico node as non-privileged and non-root - 图1note

Support for features added after Calico v3.21 is not guaranteed.

How to

  1. Follow the Tigera Calico operator installation instructions. If you have already installed the operator, skip to the next step.

  2. Edit the Calico installation to set the nonPrivileged field to Enabled.

    1. kubectl edit installation default

    Your installation resource should look similar to the following:

    1. apiVersion: operator.tigera.io/v1
    2. kind: Installation
    3. metadata:
    4.   name: default
    5. spec:
    6.   calicoNetwork:
    7.     bgp: Enabled
    8.     hostPorts: Enabled
    9.     ipPools:
    10.       - blockSize: 26
    11.         cidr: 192.168.0.0/16
    12.         encapsulation: VXLANCrossSubnet
    13.         natOutgoing: Enabled
    14.         nodeSelector: all()
    15.     linuxDataplane: Iptables
    16.     multiInterfaceMode: None
    17.     nodeAddressAutodetectionV4:
    18.       firstFound: true
    19.   cni:
    20.     ipam:
    21.       type: Calico
    22.     type: Calico
    23.   controlPlaneReplicas: 2
    24.   flexVolumePath: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/
    25.   nodeUpdateStrategy:
    26.     rollingUpdate:
    27.       maxUnavailable: 1
    28.     type: RollingUpdate
    29.   nonPrivileged: Enabled
    30.   variant: Calico

  3. The calico-node pods in the calico-system namespace should now restart. Verify that they restart properly.

    1. watch kubectl get pods -n calico-system

Calico should now be running calico-node in non-privileged and non-root containers.