Removes privileged=true for flannel containers (#755)

The ROS security audit of the M-Lab platform noted that flannel containers were running with CAP_SYS_ADMIN, and that we should determine if we could remove that capability. This was the result of setting privileged=true in the securityContext for the pods. Looking at the current documentation for flannel, their sample configurations explicity set privileged=false, and grant only NET_ADMIN and NET_RAW capabilities. This commit follows this same pattern for M-Lab's flannel pods.
m-lab · Jan 4, 2023 · b56a580 · b56a580
1 parent 921fdac
commit b56a580
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 2 deletions.
diff --git a/k8s/daemonsets/core/flannel-physical.jsonnet b/k8s/daemonsets/core/flannel-physical.jsonnet
@@ -72,7 +72,13 @@
               },
             },
             securityContext: {
-              privileged: true,
+              privileged: false,
+              capabilities: {
+                add: [
+                  'NET_ADMIN',
+                  'NET_RAW',
+                ],
+              },
             },
             volumeMounts: [
               {

diff --git a/k8s/daemonsets/core/flannel-virtual.jsonnet b/k8s/daemonsets/core/flannel-virtual.jsonnet
@@ -75,7 +75,13 @@
               },
             },
             securityContext: {
-              privileged: true,
+              privileged: false,
+              capabilities: {
+                add: [
+                  'NET_ADMIN',
+                  'NET_RAW',
+                ],
+              },
             },
             volumeMounts: [
               {