Uploaded image for project: 'Maistra'
  1. Maistra
  2. MAISTRA-549

Ensure pods containing Istio sidecar can run under the restricted SecurityContextConstraint

XMLWordPrintable

    • Maistra TP sprint 12

      Previously, any pod containing the Istio sidecar had to run under the privileged SCC. Istio CNI partially solves this, since the pod no longer contains the init container that manipulates iptables rules (and thus needs to be run as privileged: true). Using Istio CNI and MAISTRA-548, pods can now run under the anyuid SCC. Requiring the use of the anyuid SCC is still considered as requiring elevated privileges.

      Application pods using Istio must be able to run with just the restricted SCC. To achieve this, we need to:

      • drop additional Kernel capabilities (SETUID, SETGID, KILL) from the sidecar container just like in MAISTRA-548
      • run the proxy with a userID from the project's range of allowed user IDs instead of always using user ID 1337 (each project/namespace has an annotation that specifies the range of userIDs that containers can use - example: openshift.io/sa.scc.uid-range: 1000120000/10000. By default, OpenShift runs containers with the first UID from that range, but the proxy needs to run with a different UID so that iptables rules can differentiate between app's and the proxy's packets)

          There are no Sub-Tasks for this issue.

              mluksa@redhat.com Marko Luksa
              mluksa@redhat.com Marko Luksa
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: