metropolis/node/kubernetes: allow privileged pods There are valid use cases for privileged pods in low-assurance clusters. In particular, "kubectl debug node/... --profile=sysadmin" is very useful for debugging and requires privileged pods. In a production cluster, we'd want to restrict privileged pods and other dangerous capabilities (which are already allowed) using pod security or more sophisticated admission controllers, including enforcing future cluster integrity policy levels. Change-Id: I8f6470f636cdd13b7c980f04f08f95aaff833b20 Reviewed-on: https://review.monogon.dev/c/monogon/+/3246 Reviewed-by: Lorenz Brun <lorenz@monogon.tech> Tested-by: Jenkins CI

commit: 4cfcc0b0b25fba463225feae64232d40e02b570c [log] [tgz]
author: Leopold Schabel <leo@monogon.tech> Wed Jul 24 13:23:26 2024 +0000
committer: Leopold Schabel <leo@monogon.tech> Thu Jul 25 12:02:52 2024 +0000
tree: 69a7d9ce2d531c763d482e340afe5ceced40c068
parent: c5e0dbd3437d5c739d42d7724a619b126eabdbf5 [diff]
diff --git a/metropolis/node/kubernetes/apiserver.go b/metropolis/node/kubernetes/apiserver.go
index 45b2582..e4df4a9 100644
--- a/metropolis/node/kubernetes/apiserver.go
+++ b/metropolis/node/kubernetes/apiserver.go

@@ -185,6 +185,7 @@
 		args.FileOpt("--tls-private-key-file", "server-key.pem",
 			pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: s.serverKey})),
 		args.FileOpt("--admission-control-config-file", "admission-control.json", admissionConfigRaw),
+		"--allow-privileged=true",
 	)
 	if args.Error() != nil {
 		return err
commit	4cfcc0b0b25fba463225feae64232d40e02b570c	[log] [tgz]
author	Leopold Schabel <leo@monogon.tech>	Wed Jul 24 13:23:26 2024 +0000
committer	Leopold Schabel <leo@monogon.tech>	Thu Jul 25 12:02:52 2024 +0000
tree	69a7d9ce2d531c763d482e340afe5ceced40c068
parent	c5e0dbd3437d5c739d42d7724a619b126eabdbf5 [diff]