Baseline Pod Security Standard and service meshes - how to reconcile?

Mark_Kharitonov · July 10, 2023, 2:19am

Take for example the linkerd service mesh. Using it with the baseline PSS results in the following error:

Error from server (Forbidden): pods "test" is forbidden: violates PodSecurity "baseline:v1.25": non-default capabilities (container "linkerd-init" must not include "NET_ADMIN", "NET_RAW" in securityContext.capabilities.add)

I wonder what can be done about it? On one hand, linkerd-init must have these capabilities. On the other hand, I do not see how this can reconcile with the PSS. The currently implemented exemptions mechanism (through user name, runtime class or namespace) is not fine enough to apply to a sidecar.

Any ideas on how this conundrum can be resolved?

oocx · January 3, 2024, 6:04am

Hi Mark! Did you find anything useful somewhere else? I searched for the same question and found your question without any answers here.

Thanks
Mathias

Mark_Kharitonov · January 3, 2024, 6:17am

No, I have not found anything.

Topic		Replies	Views
Error from server (Forbidden): error when creating pods ...is forbidden General Discussions security	0	4487	April 3, 2019
[Security Advisory] CVE-2023-5528: Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes Announcements	0	1003	November 14, 2023
securityContext runAsNonRoot not working General Discussions	2	1884	August 16, 2020
PSPs and gaining root access on nodes General Discussions security	2	1594	August 27, 2020
[Security Advisory] CVE-2021-25737: Holes in EndpointSlice Validation Enable Host Network Hijack Announcements	0	753	May 18, 2021

Baseline Pod Security Standard and service meshes - how to reconcile?

Related Topics