Use admission controllers for access¶
MKE supports using a selective grant to allow a set of user and service accounts to use privileged attributes on Kubernetes Pods. This enables administrators to create scenarios that would ordinarily require administrators or cluster-admins to execute. Such selective grants can be used to temporarily bypass restrictions on non-administrator accounts, as the changes can be reverted at any time.
The privileged attributes associated with user and service accounts are specified separately. It is only possible to specify one list of privileged attributes for user accounts and one list for service accounts.
The user accounts specified for access must be non-administrator users and the
service accounts specified for access must not be bound to the
cluster-admin
role.
The following privileged attributes can be assigned using a selective grant:
Attribute |
Description |
---|---|
|
Allows the Pod containers to share the host IPC namespace |
|
Allows the Pod to use the network namespace and network resources of the host node |
|
Allows the Pod containers to share the host process ID namespace |
|
Allows the Pod containers to use directories and volumes mounted on the container host |
|
Allows one or more Pod containers to run privileged, escalate privileges, or both |
|
Allows you to specify the addition of kernel capabilities on one or more of the kernel capabilities |
The following Pod manifest demonstrates the use of several of the privileged attributes in a Pod:
apiVersion: v1
kind: Pod
metadata:
name: busybox
namespace: default
spec:
containers:
- image: ubuntu
command:
- sleep
- "36000"
imagePullPolicy: IfNotPresent
name: busybox
securityContext:
capabilities:
add:
- NET_ADMIN
drop:
- CHOWN
privileged: false
allowPrivilegeEscalation: true
restartPolicy: Always
To configure privileged attributes for user and service account access:
Obtain the current MKE configuration file for your cluster.
In the
[cluster_config]
section on the MKE configuration file, specify the required privileged attributes for user accounts using thepriv_attributes_allowed_for_user_accounts
parameter.Specify the associated user accounts with the
priv_attributes_user_accounts
parameter.Specify the required privileged attributes for service accounts using the
priv_attributes_allowed_for_service_accounts
parameter.Specify the associated service accounts with the
priv_attributes_service_accounts
parameter.
Example privileged attribute specification in the MKE configuration file:
priv_attributes_allowed_for_user_accounts = ["privileged"]
priv_attributes_user_accounts = ["Abby"]
priv_attributes_allowed_for_service_accounts = ["hostBindMounts", "hostIPC"]
priv_attributes_service_accounts = ["default:sa1"]