Linkerd and Pod Security Policies (PSP)

To view the definition of the control plane’s Pod Security Policy, run:

Adjust the value of the above label to match your control plane’s namespace.

More information on the iptables rules used by the proxy-init init container can be found on the Architecture page.

If your environment disallows the operation of containers with escalated Linux capabilities, Linkerd can be installed with its , which doesn’t require the NET_ADMIN and NET_RAW capabilities.

For example, the following Pod Security Policy and RBAC will work with the injected emojivoto demo application:

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: linkerd-emojivoto-data-plane
spec:
  allowPrivilegeEscalation: false
  fsGroup:
    ranges:
    - max: 65535
      min: 10001
    rule: MustRunAs
  readOnlyRootFilesystem: true
  allowedCapabilities:
  - NET_ADMIN
  - NET_RAW
  requiredDropCapabilities:
  - ALL
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
    ranges:
    - max: 65535
      min: 10001
    rule: MustRunAs
  volumes:
  - configMap
  - emptyDir
  - projected
  - secret
  - downwardAPI
  - persistentVolumeClaim
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: emojivoto-psp
  namespace: emojivoto
rules:
- apiGroups: ['policy','extensions']
  resources: ['podsecuritypolicies']
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: emojivoto-psp
  namespace: emojivoto
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: emojivoto-psp
subjects:
- kind: ServiceAccount
  name: default
  namespace: emojivoto
- kind: ServiceAccount
  name: emoji
  namespace: emojivoto
- kind: ServiceAccount
  name: voting
  namespace: emojivoto
- kind: ServiceAccount
  namespace: emojivoto

Note that the Linkerd proxy only requires the NET_ADMIN and NET_RAW capabilities when running without Linkerd CNI, and it’s run with UID 2102.