Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PodSecurity: OS based updates to restricted standard #105919

Merged
merged 2 commits into from Jul 27, 2022
Merged

PodSecurity: OS based updates to restricted standard #105919

merged 2 commits into from Jul 27, 2022

Conversation

ravisantoshgudimetla
Copy link
Contributor

@ravisantoshgudimetla ravisantoshgudimetla commented Oct 26, 2021
edited by liggitt

What type of PR is this?

/kind feature

What this PR does / why we need it:

This PR ensures that the restricted standard is updated based on the newly added OS field to the pod spec.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?

As of v1.25, the PodSecurity `restricted` level no longer requires pods that set .spec.os.name="windows" to also set Linux-specific securityContext fields. If a 1.25+ cluster has unsupported [out-of-skew](https://kubernetes.io/releases/version-skew-policy/#kubelet) nodes prior to v1.23 and wants to ensure namespaces enforcing the `restricted` policy continue to require Linux-specific securityContext fields on all pods, ensure a version of the `restricted` prior to v1.25 is selected by labeling the namespace (for example, `pod-security.kubernetes.io/enforce-version: v1.24`)

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

[KEP]:  https://github.com/kubernetes/enhancements/pull/3303
[Other doc]: https://kubernetes.io/docs/concepts/security/pod-security-standards/

@k8s-ci-robot k8s-ci-robot added do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-kind Indicates a PR lacks a `kind/foo` label and requires one. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Oct 26, 2021
@k8s-ci-robot k8s-ci-robot added kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/apps Categorizes an issue or PR as relevant to SIG Apps. sig/auth Categorizes an issue or PR as relevant to SIG Auth. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. do-not-merge/needs-kind Indicates a PR lacks a `kind/foo` label and requires one. labels Oct 26, 2021
liggitt
liggitt reviewed Oct 26, 2021
View reviewed changes
staging/src/k8s.io/pod-security-admission/policy/check_seccompProfile_restricted.go Outdated
@@ -66,6 +66,11 @@ func seccompProfileRestricted_1_19(podMetadata *metav1.ObjectMeta, podSpec *core

podSeccompSet := false

// Pod API validation would have failed if podOS == Windows and if secCompProfile has been set.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggest putting this at the top of the function

staging/src/k8s.io/pod-security-admission/policy/check_capabilities_restricted.go Outdated Show resolved Hide resolved
@liggitt
Copy link
Member

liggitt commented Oct 26, 2021

The podsecurity commit looks about like what I expected

One interesting thing is that we don't want to relax PodSecurity until the oldest supported kubelet honors the OS field (and will refuse to run a pod with a mismatched OS field). Otherwise, 1.24 (assuming pod OS is beta) you could submit a pod with a linux container image to a restricted namespace without setting seccompProfile or dropping capabilities by setting the pod OS field to "windows", but it could get scheduled to a 1.22 or 1.23 linux node which would happily run the pod.

@k8s-triage-robot
Copy link

This PR may require API review.

If so, when the changes are ready, complete the pre-review checklist and request an API review.

Status of requested reviews is tracked in the API Review project.

@fedebongio
Copy link
Contributor

This seems to me mostly sig Auth. Removing API Machinery for the moment.
/cc @deads2k
/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Oct 28, 2021
@liggitt
Copy link
Member

liggitt commented Oct 28, 2021

also exclude the allowPrivilegeEscalation restricted check for windows

the pod security integration tests should be extended to exercise the minimal valid os-specific pods (linux and windows) ... that would have caught the conflicting requirement that allowPrivilegeEscalation be specified and that allowPrivilegeEscalation is disallowed in validation for windows pods

@enj enj added this to Needs Triage in SIG Auth Old Nov 1, 2021
@enj enj moved this from Needs Triage to Changes Requested in SIG Auth Old Nov 8, 2021
@enj
Copy link
Member

enj commented Nov 8, 2021

@ravisantoshgudimetla code freeze for v1.23 is in a week. Please address Jordan's comments ASAP if you are targeting this for the next release.

@ravisantoshgudimetla ravisantoshgudimetla mentioned this pull request Nov 8, 2021
Merged
@liggitt liggitt self-assigned this Nov 9, 2021
@ravisantoshgudimetla ravisantoshgudimetla force-pushed the ps-restricted-updates branch 5 times, most recently from a98aeaf to a6f3258 Compare July 15, 2022 23:33
@ravisantoshgudimetla
Copy link
Contributor Author

/retest

tallclair
tallclair reviewed Jul 18, 2022
View reviewed changes
Copy link
Member

@tallclair tallclair left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm from a policy perspective, but I'll let @liggitt have the final say.

staging/src/k8s.io/pod-security-admission/policy/check_allowPrivilegeEscalation.go Outdated Show resolved Hide resolved
liggitt
liggitt reviewed Jul 22, 2022
View reviewed changes
staging/src/k8s.io/pod-security-admission/policy/check_allowPrivilegeEscalation_test.go Outdated Show resolved Hide resolved
staging/src/k8s.io/pod-security-admission/test/fixtures.go Outdated Show resolved Hide resolved
staging/src/k8s.io/pod-security-admission/test/fixtures.go Outdated Show resolved Hide resolved
staging/src/k8s.io/pod-security-admission/test/fixtures.go Outdated Show resolved Hide resolved
staging/src/k8s.io/pod-security-admission/test/fixtures_test.go Outdated Show resolved Hide resolved
staging/src/k8s.io/pod-security-admission/test/run.go Outdated Show resolved Hide resolved
staging/src/k8s.io/pod-security-admission/test/run.go Outdated Show resolved Hide resolved
staging/src/k8s.io/pod-security-admission/test/run.go Outdated Show resolved Hide resolved
staging/src/k8s.io/pod-security-admission/test/run.go Outdated Show resolved Hide resolved
staging/src/k8s.io/pod-security-admission/test/fixtures_test.go Outdated Show resolved Hide resolved
@liggitt
Copy link
Member

liggitt commented Jul 22, 2022

An interesting consequence of making the OS exemption only apply to PodSecurity 1.25+ versions is that lower versions will require securityContext fields to be set even with the OS is explicitly windows, but API validation will forbid those securityContext fields to be set when the OS is explicitly windows.

That means that setting OS=windows on a pod will not be possible with a restricted PodSecurity version pinned below 1.25. I think I'm ok with that, especially since a notable reason to pin that way is if you have older nodes who don't understand pod OS and wouldn't enforce it.

@ravisantoshgudimetla ravisantoshgudimetla force-pushed the ps-restricted-updates branch 2 times, most recently from 89556b2 to 3e371d4 Compare July 25, 2022 13:02
liggitt
liggitt reviewed Jul 25, 2022
View reviewed changes
staging/src/k8s.io/pod-security-admission/test/fixtures.go Show resolved Hide resolved
staging/src/k8s.io/pod-security-admission/test/fixtures.go
minimalValidLinuxPods[api.LevelRestricted][api.MajorMinorVersion(1, 22)] = addLinux(restricted_1_22)
minimalValidWindowsPods[api.LevelRestricted][api.MajorMinorVersion(1, 22)] = addWindows(restricted_1_22)

// 1.25+: OS specific changes
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd suggest capturing addWindows(restricted_1_0) in a variable with a comment, and so we have it as a starting point if any future versions add restricted requirements for windows pods

// none of the restricted requirements added between 1.0 and 1.25 apply to pods that are explicitly Windows
restricted_1_25_windows := addWindows(restricted_1_0)
...
minimalValidWindowsPods[api.LevelRestricted][api.MajorMinorVersion(1, 25)] = restricted_1_25_windows

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is still outstanding

staging/src/k8s.io/pod-security-admission/test/fixtures.go Show resolved Hide resolved
staging/src/k8s.io/pod-security-admission/test/run.go Outdated Show resolved Hide resolved
staging/src/k8s.io/pod-security-admission/test/run.go Outdated Show resolved Hide resolved
@ravisantoshgudimetla ravisantoshgudimetla force-pushed the ps-restricted-updates branch 2 times, most recently from f49228f to 0eff212 Compare July 26, 2022 14:12
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Jul 26, 2022
edited

@ravisantoshgudimetla: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-kubernetes-e2e-gce-alpha-features 60f2b2382734eb8c355f9389e55da15fe0d4ef34 link false /test pull-kubernetes-e2e-gce-alpha-features

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@ravisantoshgudimetla
Copy link
Contributor Author

/retest

@liggitt
Copy link
Member

liggitt commented Jul 27, 2022

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 27, 2022
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, ravisantoshgudimetla

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 27, 2022
@k8s-ci-robot k8s-ci-robot merged commit ec905a4 into kubernetes:master Jul 27, 2022
SIG-Windows automation moved this from In Progress (v1.25) to Done (v1.25) Jul 27, 2022
SIG Auth Old automation moved this from Needs Triage to Closed / Done Jul 27, 2022
SIG-Auth: PodSecurity automation moved this from In Progress to Done (1.25) Jul 27, 2022
@tallclair tallclair mentioned this pull request Aug 1, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liggitt liggitt liggitt left review comments

@tallclair tallclair tallclair left review comments

@caesarxuchao caesarxuchao Awaiting requested review from caesarxuchao

@dchen1107 dchen1107 Awaiting requested review from dchen1107

@deads2k deads2k Awaiting requested review from deads2k

Assignees

@liggitt liggitt

@tallclair tallclair

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/apps Categorizes an issue or PR as relevant to SIG Apps. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/testing Categorizes an issue or PR as relevant to SIG Testing. sig/windows Categorizes an issue or PR as relevant to SIG Windows. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Auth
Archived in project
SIG-Auth: PodSecurity
Done (1.25)
SIG-Windows
  
Done (v1.25)
SIG Auth Old
Closed / Done
Milestone
v1.25
Development

Successfully merging this pull request may close these issues.

None yet
9 participants
@ravisantoshgudimetla @liggitt @k8s-triage-robot @fedebongio @enj @dims @k8s-ci-robot @marosset @tallclair