Run Calico node as non-privileged and non-root

1 MINUTE READ

Big picture

Run long-lived Calico components in non-privileged and non-root containers.

Value

Running Calico in non-privileged and non-root mode is an option for users who want to secure Calico as much as possible, and who do not care about Calico features beyond the basic Calico networking and network policy. The tradeoff for more security is the overhead of Calico networking management. For example, you no longer receive Calico corrections to misconfigurations caused by other components within your cluster, along with limited support for new features.

Concepts

To run Calico as securely as possible, long-running Calico components (for example calico/node), can be run without privileged and root permissions in their respective containers. Note that to set up these components, the init containers still need to run with privileged and root permissions, but the risk to cluster security is minimal because of the ephemeral nature of init containers.

Supported

  • Operator installation only.

Unsupported

  • Calico Enterprise
  • eBPF dataplane

Note: Support for features added after Calico v3.21 is not guaranteed.

How to

  1. Follow the Tigera Calico operator installation instructions. If you have already installed the operator, skip to the next step.

  2. Edit the Calico installation to set the nonPrivileged field to Enabled.
    kubectl edit installation default
    

    Your installation resource should look similar to the following:

    apiVersion: operator.tigera.io/v1
    kind: Installation
    metadata:
      name: default
    spec:
      calicoNetwork:
        bgp: Enabled
        hostPorts: Enabled
        ipPools:
        - blockSize: 26
          cidr: 192.168.0.0/16
          encapsulation: VXLANCrossSubnet
          natOutgoing: Enabled
          nodeSelector: all()
        linuxDataplane: Iptables
        multiInterfaceMode: None
        nodeAddressAutodetectionV4:
          firstFound: true
      cni:
        ipam:
          type: Calico
        type: Calico
      controlPlaneReplicas: 2
      flexVolumePath: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/
      nodeUpdateStrategy:
        rollingUpdate:
          maxUnavailable: 1
        type: RollingUpdate
      nonPrivileged: Enabled
      variant: Calico
    
  3. The calico-node pods in the calico-system namespace should now restart. Verify that they restart properly.
    watch kubectl get pods -n calico-system
    

Calico should now be running calico-node in non-privileged and non-root containers.