Run Calico node as non-privileged and non-root
Run long-lived Calico components in non-privileged and non-root containers.
Running Calico in non-privileged and non-root mode is an option for users who want to secure Calico as much as possible, and who do not care about Calico features beyond the basic Calico networking and network policy. The tradeoff for more security is the overhead of Calico networking management. For example, you no longer receive Calico corrections to misconfigurations caused by other components within your cluster, along with limited support for new features.
To run Calico as securely as possible, long-running Calico components (for example calico/node), can be run without privileged and root permissions in their respective containers. Note that to set up these components, the init containers still need to run with privileged and root permissions, but the risk to cluster security is minimal because of the ephemeral nature of init containers.
- Operator installation only.
- Calico Enterprise
- eBPF dataplane
- WorkloadSourceSpoofing felix option and the related
Note: Support for features added after Calico v3.21 is not guaranteed.
Follow the Tigera Calico operator installation instructions. If you have already installed the operator, skip to the next step.
Edit the Calico installation to set the
kubectl edit installation default
Your installation resource should look similar to the following:
apiVersion: operator.tigera.io/v1 kind: Installation metadata: name: default spec: calicoNetwork: bgp: Enabled hostPorts: Enabled ipPools: - blockSize: 26 cidr: 192.168.0.0/16 encapsulation: VXLANCrossSubnet natOutgoing: Enabled nodeSelector: all() linuxDataplane: Iptables multiInterfaceMode: None nodeAddressAutodetectionV4: firstFound: true cni: ipam: type: Calico type: Calico controlPlaneReplicas: 2 flexVolumePath: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/ nodeUpdateStrategy: rollingUpdate: maxUnavailable: 1 type: RollingUpdate nonPrivileged: Enabled variant: Calico
calico-nodepods in the
calico-systemnamespace should now restart. Verify that they restart properly.
watch kubectl get pods -n calico-system
Calico should now be running
calico-node in non-privileged and non-root containers.