Linkerd and Pod Security Policies (PSP)

The Linkerd control plane comes with its own minimally privileged Pod Security Policy and the associated RBAC resources. This Pod Security Policy is enforced only if the PodSecurityPolicy admission controller is enabled.

To view the definition of the control plane’s Pod Security Policy, run:

  1. kubectl describe psp -l linkerd.io/control-plane-ns=linkerd

Adjust the value of the above label to match your control plane’s namespace.

Notice that to minimize attack surface, all Linux capabilities are dropped from the control plane’s Pod Security Policy, with the exception of the NET_ADMIN and NET_RAW capabilities. These capabilities provide the proxy-init init container with runtime privilege to rewrite the pod’s iptable. Note that adding these capabilities to the Pod Security Policy doesn’t make the container a privileged container. The control plane’s Pod Security Policy prevents container privilege escalation with the allowPrivilegeEscalation: false policy. To understand the full implication of the NET_ADMIN and NET_RAW capabilities, refer to the Linux capabilities manual.

More information on the iptables rules used by the proxy-init init container can be found on the Architecture page.

If your environment disallows the operation of containers with escalated Linux capabilities, Linkerd can be installed with its CNI plugin, which doesn’t require the NET_ADMIN and NET_RAW capabilities.

Linkerd doesn’t provide any default Pod Security Policy for the data plane because the policies will vary depending on the security requirements of your application. The security context requirement for the Linkerd proxy sidecar container will be very similar to that defined in the control plane’s Pod Security Policy.

For example, the following Pod Security Policy and RBAC will work with the injected emojivoto demo application:

  1. apiVersion: policy/v1beta1
  2. kind: PodSecurityPolicy
  3. metadata:
  4.   name: linkerd-emojivoto-data-plane
  5. spec:
  6.   allowPrivilegeEscalation: false
  7.   fsGroup:
  8.     ranges:
  9.     - max: 65535
  10.       min: 10001
  11.     rule: MustRunAs
  12.   readOnlyRootFilesystem: true
  13.   allowedCapabilities:
  14.   - NET_ADMIN
  15.   - NET_RAW
  16.   - NET_BIND_SERVICE
  17.   requiredDropCapabilities:
  18.   - ALL
  19.   runAsUser:
  20.     rule: RunAsAny
  21.   seLinux:
  22.     rule: RunAsAny
  23.   supplementalGroups:
  24.     ranges:
  25.     - max: 65535
  26.       min: 10001
  27.     rule: MustRunAs
  28.   volumes:
  29.   - configMap
  30.   - emptyDir
  31.   - projected
  32.   - secret
  33.   - downwardAPI
  34.   - persistentVolumeClaim
  35. ---
  37. apiVersion: rbac.authorization.k8s.io/v1
  38. kind: Role
  39. metadata:
  40.   name: emojivoto-psp
  41.   namespace: emojivoto
  42. rules:
  43. - apiGroups: ['policy','extensions']
  44.   resources: ['podsecuritypolicies']
  45.   verbs: ['use']
  46.   resourceNames: ['linkerd-emojivoto-data-plane']
  47. ---
  49. apiVersion: rbac.authorization.k8s.io/v1
  50. kind: RoleBinding
  51. metadata:
  52.   name: emojivoto-psp
  53.   namespace: emojivoto
  54. roleRef:
  55.   apiGroup: rbac.authorization.k8s.io
  56.   kind: Role
  57.   name: emojivoto-psp
  58. subjects:
  59. - kind: ServiceAccount
  60.   name: default
  61.   namespace: emojivoto
  62. - kind: ServiceAccount
  63.   name: emoji
  64.   namespace: emojivoto
  65. - kind: ServiceAccount
  66.   name: voting
  67.   namespace: emojivoto
  68. - kind: ServiceAccount
  69.   name: web
  70.   namespace: emojivoto

Note that the Linkerd proxy only requires the NET_ADMIN and NET_RAW capabilities when running without Linkerd CNI, and it’s run with UID 2102.