3

I'm working in kube-proxy development and I'm in the stage of understanding the purpose and execution of kube-proxy.

I know that kube-proxy will add iptables rules to enable user to access the exposed pods (which is kubernetes service in iptables mode).

what makes me wonder, is the fact that those rules are added in the host node where a pod of kube-proxy is running, and it's not clear how this pod is capable of accessing those privileges on the host node.

I have took a look on the code of kubernetes with no success to find this specific part, so if you have any idea, resource, or documentation that would help me to figure this out it would be appreciated.

elia
  • 239
  • 3
  • 16

2 Answers2

3

kube-proxy.yaml

apiVersion: v1
kind: Pod
metadata:
  name: kube-proxy
  namespace: kube-system
spec:
  hostNetwork: true
  containers:
  - name: kube-proxy
    image: gcr.io/google_containers/hyperkube:v1.0.6
    command:
    - /hyperkube
    - proxy
    - --master=http://127.0.0.1:8080
    securityContext:
      privileged: true
    volumeMounts:
    - mountPath: /etc/ssl/certs
      name: ssl-certs-host
      readOnly: true
  volumes:
  - hostPath:
      path: /usr/share/ca-certificates
    name: ssl-certs-host

According to Pod Security Policies document:

Privileged - determines if any container in a pod can enable privileged mode. By default a container is not allowed to access any devices on the host, but a “privileged” container is given access to all devices on the host. This allows the container nearly all the same access as processes running on the host. This is useful for containers that want to use linux capabilities like manipulating the network stack and accessing devices.

In other words, it gives the container or the pod (depending on a context) most of the root privileges.

There are many more options to control pods capabilities in the securityContext section:

  • Privilege escalation
  • Linux Capabilities
  • SELinux
  • Volumes
  • Users and groups
  • Networking

Consider reading the full article for details and code snippets.

VAS
  • 8,538
  • 1
  • 28
  • 39
  • Perhaps this could help you to find out how privileged container is starting: https://sourcegraph.com/github.com/eBay/Kubernetes@master/-/blob/Godeps/_workspace/src/github.com/fsouza/go-dockerclient/exec.go#L127 – VAS Jun 01 '18 at 12:50
  • the answer is very helpful but it didn't serve the purpose of the question, I didn't mean how to enable this in Kubernetes, but how to reach a point where you have a Docker container running with such privilege. I was looking for such a thing in docker and all that I get was "ssh to the host node from the container", which is bizarre. so to rephrase my question, it's not how to ENABLE, it's lower level how kube is doing it. anyways thanks for the answer :) – elia Jun 04 '18 at 11:50
  • https://stackoverflow.com/questions/36425230/privileged-containers-and-capabilities, ok I figured things out thank you – elia Jun 04 '18 at 11:58
0

In my kube-proxy.yaml, there is configuration about privilege, like this:

securityContext:
  privileged: true

I think this will give kube-proxy enough privilege.

Kun Li
  • 2,570
  • 10
  • 15