Skip to main content
Version: 3.27 (latest)

Run Calico node as non-privileged and non-root

Big picture​

Run long-lived Calico components in non-privileged and non-root containers.

Value​

Running Calico in non-privileged and non-root mode is an option for users who want to secure Calico as much as possible, and who do not care about Calico features beyond the basic Calico networking and network policy. The tradeoff for more security is the overhead of Calico networking management. For example, you no longer receive Calico corrections to misconfigurations caused by other components within your cluster, along with limited support for new features.

Concepts​

To run Calico as securely as possible, long-running Calico components (for example calico/node), can be run without privileged and root permissions in their respective containers. Note that to set up these components, the init containers still need to run with privileged and root permissions, but the risk to cluster security is minimal because of the ephemeral nature of init containers.

Supported​

  • Operator installation only.

Unsupported​

  • Calico Enterprise
  • eBPF dataplane
  • WorkloadSourceSpoofing felix option and the related cni.projectcalico.org/allowedSourcePrefixes annotation
note

Support for features added after Calico v3.21 is not guaranteed.

How to​

  1. Follow the Tigera Calico operator installation instructions. If you have already installed the operator, skip to the next step.

  2. Edit the Calico installation to set the nonPrivileged field to Enabled.

    kubectl edit installation default

    Your installation resource should look similar to the following:

    apiVersion: operator.tigera.io/v1
    kind: Installation
    metadata:
      name: default
    spec:
      calicoNetwork:
        bgp: Enabled
        hostPorts: Enabled
        ipPools:
          - blockSize: 26
            cidr: 192.168.0.0/16
            encapsulation: VXLANCrossSubnet
            natOutgoing: Enabled
            nodeSelector: all()
        linuxDataplane: Iptables
        multiInterfaceMode: None
        nodeAddressAutodetectionV4:
          firstFound: true
      cni:
        ipam:
          type: Calico
        type: Calico
      controlPlaneReplicas: 2
      flexVolumePath: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/
      nodeUpdateStrategy:
        rollingUpdate:
          maxUnavailable: 1
        type: RollingUpdate
      nonPrivileged: Enabled
      variant: Calico

  3. The calico-node pods in the calico-system namespace should now restart. Verify that they restart properly.

    watch kubectl get pods -n calico-system

Calico should now be running calico-node in non-privileged and non-root containers.