...
kubectl replace -f - <<EOF apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "false" labels: kubernetes.io/bootstrapping: rbac-defaults name: system:public-info-viewer rules: - nonResourceURLs: # /version has been removed - /healthz - /livez - /readyz verbs: - get EOF
CAP_NET_RAW
Docker runtime enables Linux "NET_RAW" capability by default. Docker daemon does not have an option to disable "NET_RAW":
https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file
So we have to turn to K8s provided "PodSecurityPolicy" for help.
Solution:
Use PodSecurityPolicy
https://kubernetes.io/docs/concepts/policy/pod-security-policy/
StepsHigh level steps:
- Create a PodSecurityPolicy to drop the Linux capability "NET_RAW".
- Create an RBAC role to allow use of the PodSecurityPolicy created in step 1.
- Bind the RBAC role to serviceaccount "default".