When an app is pushed with Eirini, the pods are assigned the default Service Account in app_namespace. By default, when the cluster is deployed with RBAC authentication method, that Service Account should not have any read/write permissions to the Kubernetes API. Since RBAC is preferred to ABAC, we recommend using the former.
Apps pushed by Eirini currently cannot be accessed directly from another app container. This is accomplished by creating a NetworkPolicy resource in the namespace in which Eirini deploys apps.
In order to use network policies in your cluster, you must use a compatible container network plug-in, otherwise creating a NetworkPolicy resource will have no effect.
Both IKS (is automatically setup) and GKE (has to be enabled) support a network plug-in called Calico, which supports defining network policies.
For other implementations of the Kubernetes networking model, take a look here. Keep in mind that not all implementations support defining network polcies (e.g. Flannel). For a more detailed comparison between different plugins, take a look here (not maintained by us).
Note: For this section, ensure that PodSecurityPolicy support is enabled on your cluster. This is platform specific (e.g. in GKE this is not enabled by default).
By default, Eirini attaches a specific Service Account to all application pods. This service account permissions can be found here and they don't allow pods to be run with the root user. You can relax this limitation by doing the following steps:
- Set the
allow_run_image_as_rootproperty in the Eirini ConfigMap totrueby executing
kubectl edit configmap eirini -n <namespace-in-which-eirini-is-deployed>
- Restart the Eirini pod so the new change can be applied.
kubectl delete pod <eirini-pod-name> -n <namespace-in-which-eirini-is-deployed>
- Apply a more relaxed PodSecurityPolicy in the namespace in which eirini schedules applications. Example of a relaxed PSP
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default
seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
name: eirini-app-privileged-psp
namespace: eirini
spec:
allowPrivilegeEscalation: false
fsGroup:
rule: RunAsAny
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
- Add the new privileged PSP to the default Service Account role by executing:
kubectl patch -n eirini role eirini-app-role --type='json' -p '[{"op":"add","path":"/rules/0/resourceNames/-","value":"eirini-app-privileged-psp"}]'
The Kubernetes API is available in all pods by default at https://kubernetes.default. Eirini does not mount
service account credentials to the pod and uses default service account in the namespace. This prevents Eirini pods from using Kubernetes API.
To completely disallow access to this from application instances, you'd need to apply this network policy:
apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
name: eirini-egress-policy
namespace: eirini
spec:
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- <API IP Address>/32
podSelector: {}
policyTypes:
- EgressYou can get IP address of the master by running kubectl get endpoints command. If there are multiple Kubernetes API nodes, IP address
of each of them would need to be specified in the except array.