Running the TSE control-plane in a locked-down, non-root environment
In some locked-down environments, the standard install profile for the TSE control plane may not be suitable. In particular, several components run as root by default, and the installation profile may need to be modified to avoid this.
Using the Istio CNI (avoid running istio-init as root)
The istio-init
container is an init container that is injected into each workload container. It prepares the networking configuration for the istio proxy, and by default it needs to run as root.
In some situations, local security policies may not allow containers that run as root. In that case, you can enable the Istio CNI plugin. Edit the controlplane yaml, adding the CNI section as below:
spec:
components:
istio:
mountInternalWasmExtensions: true # <-- you should already have this set
kubeSpec:
CNI:
binaryDirectory: /opt/cni/bin
chained: true
configurationDirectory: /etc/cni/net.d
Once you make the changes, allow several minutes for them to be applied. You will then need to restart your pods to force them to use the new init-containers and sidecars.
For more information, refer to:
- Istio Documentation: Install Istio with the Istio CNI plugin
- Tetrate TSB Documentation: Using Istio CNI
Run inject-wasm-extensions as non-root
Similarly, the Tetrate inject-wasm-extensions
container runs as root by default. It can be safely run as a lower-privileged user if required.
Edit the controlplane yaml, modifying the xcp section as below:
spec:
components: # <- this is the same section where `istio` tag exists, I'm writing it just to help with the location
xcp:
centralAuthMode: JWT
centralProvidedCaCert: true
configProtection: {}
enableHttpMeshInternalIdentityPropagation: true
isolationBoundaries:
- name: global
revisions:
- name: default
kubeSpec:
deployment:
replicaCount: 1
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 50m
memory: 128Mi
overlays:
- apiVersion: install.xcp.tetrate.io/v1alpha1
kind: EdgeXcp
name: edge-xcp
patches:
- path: spec.components.edgeServer.kubeSpec.deployment.env[-1]
value:
name: DISABLE_TIER1_TIER2_SEPARATION
value: "true"
- path: spec.components.edgeServer.kubeSpec.deployment.env[-1]
value:
name: ENABLE_ENHANCED_EAST_WEST_ROUTING
value: "true"
- path: spec.components.edgeServer.kubeSpec.deployment.env[-1]
value:
name: ENABLE_DNS_RESOLUTION_AT_EDGE
value: "true"
- path: spec.components.istio.customTemplates.[name:wasmfetcher] # <-- This is the new overlay we want to apply, be careful with the indentation, make sure all is properly aligned.
value:
name: wasmfetcher
targets: ["INGRESS", "EGRESS", "SIDECAR"]
yamlContent: |
spec:
initContainers:
- name: inject-wasm-extensions
image: <your-registry>/wasmfetcher-server:1.7.0-tse. # <-- replace this with your registry
command: ["/bin/cp"]
args: ["-v", "-R", "/wasmfetcher/plugins/.", "/wasm-plugins/"]
securityContext: # <-- feel free to change the values of the securityContext to fill your requirements
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1337
runAsNonRoot: true
runAsUser: 1337
volumeMounts:
- name: wasm-plugins
mountPath: "/wasm-plugins/"
containers:
- name: istio-proxy
volumeMounts:
- name: wasm-plugins
mountPath: "/wasm-plugins/"
volumes:
- name: wasm-plugins
emptyDir: {}
Once again, when making changes to controlplane.yaml, allow several minutes for the operator to redeploy the affected components.