vEth creation inside PoD environment

Acdam_Bacdam · June 29, 2022, 11:26am

Asking for help? Comment out what you need so we can get more information to help you!

Cluster information:

Kubernetes version: 1.22
Cloud being used: (put bare-metal if not on a public cloud) : Bare-metal
Installation method:
Host OS: Centos 7
CNI and version:
CRI and version:

Hi Experts,

I am working on a requirement where my application is using a third party library specifically for data plane communication. The third party library creates virtual interface at init time and further uses that vEth for internal functionality. When I run same App on Bare-metal, it works fine, where as when I run this application inside Pod having host-network permissions then also it works fine.

But while running same application without host-network permissions, it fails to create vEth at init time successfully.

As I don’t want to expose whole host network inside the Pod, do we have any other way / permissions via which any application inside PoD should be able to create vEth without exposing whole host network ?

Example to check similar functionality via Linux commands:

Deploy PoD with host-network permissions:
Create a link using command : ip link add vEth0 type dummy
Result : It creates vEth0 (ifconfig -a) and also creates at /sys/devices/virtual/net/vEth0
Deploy PoD without host-network permissions:
Create a link using command : ip link add vEth0 type dummy
Result : It does not create vEth0 at /sys/devices/virtual/net/vEth0

DeDze · June 29, 2022, 8:47pm

Hi,

You can try to add the CAP_NET_ADMIN capability to the container.

...
securityContext:
      capabilities:
        add: ["CAP_NET_ADMIN"]

Check capabilities(7) - Linux manual page for a list of linux capabilities.

Acdam_Bacdam · June 30, 2022, 12:11pm

Hi @DeDze,

Thanks for looking into and responding on this query.
I have already tried with NET_ADMIN, but that didn’t work too.

As a quick check without deploying application and all, I use to check below commands too.
If incase you have any pod deployed with NET_ADMIN, would it be feasible for you to just check the results of below command.

Deploy PoD without host-network permissions and have CAP_NET_ADMIN in capabilities:
Create a link using command : ip link add vEth0 type dummy
Without host-network, it does not create vEth0 at /sys/devices/virtual/net/vEth0
Where as it creates it when we deploy it with host-network permissions

With Best Regards,

Acdam_Bacdam · July 7, 2022, 3:05am

Hello Experts,

Would be of great help, if I get any direction on this issue.

With Best Regards,