Use admission controllers for access

MKE supports using a selective grant to allow a set of user and service accounts to use privileged attributes on Kubernetes Pods. This enables administrators to create scenarios that would ordinarily require administrators or cluster-admins to execute. Such selective grants can be used to temporarily bypass restrictions on non-administrator accounts, as the changes can be reverted at any time.

The privileged attributes associated with user and service accounts are specified separately. It is only possible to specify one list of privileged attributes for user accounts and one list for service accounts.

The user accounts specified for access must be non-administrator users and the service accounts specified for access must not be bound to the cluster-admin role.

The following privileged attributes can be assigned using a selective grant:

Attribute

Description

hostIPC

Allows the Pod containers to share the host IPC namespace

hostNetwork

Allows the Pod to use the network namespace and network resources of the host node

hostPID

Allows the Pod containers to share the host process ID namespace

hostBindMounts

Allows the Pod containers to use directories and volumes mounted on the container host

privileged

Allows one or more Pod containers to run privileged, escalate privileges, or both

kernelCapabilities

Allows you to specify the addition of kernel capabilities on one or more of the kernel capabilities

The following Pod manifest demonstrates the use of several of the privileged attributes in a Pod:

Example Pod manifest
apiVersion: v1
kind: Pod
metadata:
  name: busybox
  namespace: default
spec:
  containers:
  - image: ubuntu
    command:
      - sleep
      - "36000"
    imagePullPolicy: IfNotPresent
    name: busybox
    securityContext:
      capabilities:
        add:
          - NET_ADMIN
        drop:
          - CHOWN
      privileged: false
      allowPrivilegeEscalation: true

  restartPolicy: Always

To configure privileged attributes for user and service account access:

  1. Obtain the current MKE configuration file for your cluster.

  2. In the [cluster_config] section on the MKE configuration file, specify the required privileged attributes for user accounts using the priv_attributes_allowed_for_user_accounts parameter.

  3. Specify the associated user accounts with the priv_attributes_user_accounts parameter.

  4. Specify the required privileged attributes for service accounts using the priv_attributes_allowed_for_service_accounts parameter.

  5. Specify the associated service accounts with the priv_attributes_service_accounts parameter.

  6. Upload the new MKE configuration file.

Example privileged attribute specification in the MKE configuration file:

priv_attributes_allowed_for_user_accounts = ["privileged"]
priv_attributes_user_accounts = ["Abby"]
priv_attributes_allowed_for_service_accounts = ["hostBindMounts", "hostIPC"]
priv_attributes_service_accounts = ["default:sa1"]