Restricting privileged Cilium pod access
This page shows you how to restrict privileged access to Cilium pods by limiting access from the Kubernetes API, specifically from kubernetes exec pod.
If you haven’t read the Introduction to Cilium & Hubble yet, we’d encourage you to do that first.
The best way to get help if you get stuck is to ask a question on Cilium Slack. With Cilium contributors across the globe, there is almost always someone available to help.
Setup Cilium
If you have not set up Cilium yet, follow the guide Cilium Quick Installation for instructions on how to quickly bootstrap a Kubernetes cluster and install Cilium. If in doubt, pick the minikube route, you will be good to go in less than 5 minutes.
Background
The Cilium agent needs some specific Linux capabilities to perform essential system and network operations.
Cilium relies on Kubernetes and containers to set up the environment and mount the corresponding volumes. Cilium doesn’t perform any extra operations that could result in an unsafe volume mount.
Cilium needs kernel interfaces to properly configure the environment. Some kernel interfaces are part of the /proc filesystem, which includes host and machine configurations that can’t be virtualized or namespaced.
If pod exec operations aren’t restricted, then remote exec into pods and containers defeats Linux namespace restrictions.
The Linux kernel restricts joining other namespaces by default. To enter the Cilium container, the CAP_SYS_ADMIN capability is required in both the current user namespace and in the Cilium user namespace (the initial namespace). If both namespaces have the CAP_SYS_ADMIN capability, then this is already a privileged access.
To prevent privileged access to Cilium pods, restrict access to the Kubernetes API and arbitrary pod exec operations.
References
For more information about namespace security, visit: