Hi
I am trying to get Linkerd working on an RKE2 CIS profile configured cluster. That means that everything is in a non-root environment and that most privilege access is denied.
I have seen that the linkerd namespace got privilege access from the install (which is fine I guess), but sidecar’ed pods cannot start because the linkerd-init
container includes NET_ADMIN
and NET_RAW
capabilities.
Obviously I would not want to raise every namespace that is using Linkerd with elevated privileges. There used to be PSPs in older versions of Kubernetes and there was a way around that issue at the time. But PSPs are deprecated and I could not find any information on how to navigate that issue with todays Kubernetes version…