linkerd-init violates the baseline Pod Security Standard #11097
-
|
Enforcing the baseline Pod Security Standard with the linkerd-init sidecar fails with the following error: I wonder what can be done about it? On one hand, linkerd-init must have these capabilities. On the other hand, I do not see how this can reconcile with the PSS. The currently implemented exemptions mechanism (through user name, runtime class or namespace) is not fine enough to apply to a sidecar. Any ideas on how this conundrum can be resolved? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
|
That's right, unfortunately, linkerd-init is incompatible with a anything but a |
Beta Was this translation helpful? Give feedback.
-
|
Would you be able to elaborate on the difference between linkerd-cni model and linkerd-init model? Or should I ask a separate question for that? |
Beta Was this translation helpful? Give feedback.
-
|
There's a section in the docs with some details about it. |
Beta Was this translation helpful? Give feedback.
That's right, unfortunately, linkerd-init is incompatible with a anything but a
privilegedPSS, given that mechanism's coarse grained policies. If you're required to enforce a more restrictive PSS policy you can via the linkerd-cni model, which refrains from using the linkerd-init container for setting up the iptable rules required by the proxy.