scottk/homelab
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/homelab.git synced 2025-10-31 01:47:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(netbird-agent): allow read root fs and add sysctl

Browse Source 
The agent seems to assume it's running with full root privileges,
something we don't want. Accommodate by changing manually.
This commit is contained in:
Vegard Hagen
2025-01-05 13:10:26 +01:00
parent a89e51b027
commit c9ffd698c8
3 changed files with 17 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
k8s/infra/vpn/netbird/agent/daemon-set.yaml
View File

@@ -15,23 +15,30 @@ spec:
securityContext: securityContext:
seccompProfile: seccompProfile:
type: RuntimeDefault type: RuntimeDefault
sysctls:
# Considered unsafe, need to enable with kubelet argument.
# see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/#enabling-unsafe-sysctls
- name: net.ipv4.conf.all.src_valid_mark
value: "1"
containers: containers:
- name: agent - name: agent
image: docker.io/netbirdio/netbird:0.35.2 # renovate: docker=docker.io/netbirdio/netbird image: docker.io/netbirdio/netbird:0.35.2 # renovate: docker=docker.io/netbirdio/netbird
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
readOnlyRootFilesystem: true readOnlyRootFilesystem: false
runAsNonRoot: false
capabilities: capabilities:
add: [ NET_ADMIN, PERFMON, BPF ] drop: [ ALL ]
add: [ NET_ADMIN, NET_RAW, PERFMON, BPF ]
envFrom: envFrom:
- configMapRef: - configMapRef:
name: agent-config name: agent-config
- secretRef: - secretRef:
name: agent-setup-key name: agent-setup-key
volumeMounts: volumeMounts:
- name: config - name: netbird
mountPath: /config mountPath: /var/lib/netbird
resources: resources:
requests: requests:
memory: 192Mi memory: 192Mi
@@ -40,5 +47,5 @@ spec:
memory: 256Mi memory: 256Mi
cpu: 4000m cpu: 4000m
volumes: volumes:
- name: config - name: netbird
emptyDir: { } emptyDir: { }

2
k8s/infra/vpn/netbird/agent/kustomization.yaml
View File

@@ -9,7 +9,7 @@ configMapGenerator:
- NB_LOG_LEVEL="warn" - NB_LOG_LEVEL="warn"
- NB_MANAGEMENT_URL="https://netbird.stonegarden.dev" - NB_MANAGEMENT_URL="https://netbird.stonegarden.dev"
- NB_ADMIN_URL="https://netbird.stonegarden.dev" - NB_ADMIN_URL="https://netbird.stonegarden.dev"
- NB_CONFIG="/config/config.json" - NB_CONFIG="/var/lib/netbird/config.json"
resources: resources:
- agent-setup-key.yaml - agent-setup-key.yaml

4
tofu/kubernetes/talos/machine-config/control-plane.yaml.tftpl
View File

@@ -1,4 +1,8 @@
machine: machine:
kubelet:
extraArgs:
# Needed for Netbird agent https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/#enabling-unsafe-sysctls
allowed-unsafe-sysctls: net.ipv4.conf.all.src_valid_mark
network: network:
hostname: ${hostname} hostname: ${hostname}
nodeLabels: nodeLabels: