don't block traffic generated by the root user on the node

Kubelet has to run as root, blocking the traffic directed to Pods by network policies can impact kubelet probes per example. Since root user can do anything on the node, network policies are not a security boundary for it, so don't apply them to the traffic generated by the root user.
kubernetes-sigs · Jul 23, 2024 · dff26fe · dff26fe
1 parent 2e682f0
commit dff26fe
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/pkg/networkpolicy/controller.go b/pkg/networkpolicy/controller.go
@@ -695,6 +695,13 @@ func (c *Controller) syncNFTablesRules(ctx context.Context) error {
 			Rule: knftables.Concat(
 				"icmpv6", "type", "{", "nd-neighbor-solicit, nd-neighbor-advert", "}", "accept"),
 		})
+		// Don't process traffic generated from the root user in the Node, it can block kubelet probes
+		// or system daemons that depend on the internal node traffic to not be blocked.
+		// Ref: https://github.com/kubernetes-sigs/kube-network-policies/issues/65
+		tx.Add(&knftables.Rule{
+			Chain: chainName,
+			Rule:  "meta skuid 0 accept",
+		})
 		// instead of aggregating all the expresion in one rule, use two different
 		// rules to understand if is causing issues with UDP packets with the same
 		// tuple (https://github.com/kubernetes-sigs/kube-network-policies/issues/12)