Revision - 4f4e8e9 - envoy: Drop privileges

Revision 4f4e8e9155a6d2639ab02b7de39590bc95ae0c53 authored by Tam Mach on 05 March 2024, 08:34:35 UTC, committed by Julian Wiedmann on 02 April 2024, 17:03:53 UTC

envoy: Drop privileges

[upstream commit 3166f95]

Use cilium-envoy image that drops privileges from the Envoy process
before it starts.

Envoy now needs to be started as `cilium-envoy-starter`, which drops all
privileges before executing `cilium-envoy`.

If `cilium-envoy` is executed directly with any privileges, it will
terminate with the following error message when any Cilium filters are
first configured:

  "[assert failure: get_capabilities(CAP_EFFECTIVE) == 0 &&
   get_capabilities(CAP_PERMITTED) == 0. Details: cilium-envoy
   running with privileges, exiting"

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Signed-off-by: Tam Mach <tam.mach@cilium.io>

1 parent 63859d3

Files
Changes

Permalinks

SECURITY.md

# Security Policy

## Supported Versions

| Version   | Supported          |
|-----------| ------------------ |
| master    | :white_check_mark: |
| 1.12.x    | :white_check_mark: |
| 1.11.x    | :white_check_mark: |
| 1.10.x    | :white_check_mark: |
| < 1.10.0  | :x:                |

## Reporting a Vulnerability

We strongly encourage you to report security vulnerabilities to
our private security mailing list: security@cilium.io - first, before
disclosing them in any public forums.

This is a private mailing list where only members of the Cilium internal
security team are subscribed to, and is treated as top priority.

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...