KEP-2579: PodSecurity beta / 1.23 updates #2895

liggitt · 2021-08-24T16:56:55Z

One-line PR description: beta updates for PodSecurity
Issue link: PodSecurity admission (PodSecurityPolicy replacement) #2579
Best reviewed commit-by-commit (for most reviewers, there's only a single relevant commit)

/sig auth

keps/sig-auth/2579-psp-replacement/README.md

liggitt · 2021-08-24T21:17:32Z

keps/sig-auth/2579-psp-replacement/README.md

@@ -609,39 +609,23 @@ pod_security_evaluations_total

 The metric will use the following labels:


cc @dashpole (listed in the KEP as the instrumentation reviewer) and @logicalhan (who had questions about cardinality in the implementing PR)

liggitt · 2021-08-24T21:19:06Z

keps/sig-auth/2579-psp-replacement/README.md

@@ -630,22 +630,21 @@ The metric will use the following labels:

 The following audit annotations will be added:


made coherent with the current implementation and the audit tracking issue in kubernetes/kubernetes#103923

tabbysable · 2021-08-25T05:20:49Z

/lgtm

keps/sig-auth/2579-psp-replacement/README.md

marosset · 2021-08-25T20:52:53Z

LGTM for Windows related updates

liggitt · 2021-08-26T13:09:03Z

added benchmark stats to PRR resource question

deads2k · 2021-08-26T14:04:03Z

keps/sig-auth/2579-psp-replacement/README.md

-`escalate-privilege` verb on the ephemeral containers subresource).
-
-<<[/UNRESOLVED]>>
+This means that an existing pod which is not valid according to the current


Existing and in the case where an ephemeral container tries to add CAP_SYS_PTRACE, the baseline policy will reject?

Not sure I parsed your question correctly, but:

ephemeral containers themselves must pass the current enforce level

adding/updating an ephemeral container is considered a relevant update which requires the whole pod (existing containers) to pass the current enforce level

I expect CAP_SYS_PTRACE to be a common request for debugging, and I was even considering making it the default if we decide to adopt debugging profiles (#2834). Does PTRACE enable a privilege escalation?

Since ephemeral containers cannot be removed, it sounds like it's possible for a pod to fail the current enforce level even if the ephemeral container is no longer running, blocking future updates that would otherwise be allowed at this level. Is that desirable?

I think it's fine for my intended use of breaking glass to debug a pod and then deleting the pod soon afterwards, but I don't think I've thought through all the scenarios yet.

Since ephemeral containers cannot be removed, it sounds like it's possible for a pod to fail the current enforce level even if the ephemeral container is no longer running, blocking future updates that would otherwise be allowed at this level. Is that desirable?

I think so? Some of the changes an escalated ephemeralContainer could make could persist even after the ephemeral container is no longer running. Presence of an ephemeral container in a pod that doesn't fit within the current enforce level seems like it should be rejected, even if it is not running.

There are basically 3 operations that would trigger a pod to be reevaluated, and potentially block the update:

Change the seccomp annotation - deprecated behavior that will be removed soon.

Updating the container image - goes against best practices

Adding an ephemeral container

So, if an exempt user adds a privileged ephemeral container, the pod enters a "violating" state, and non-exempt users can no longer perform any of those updates. This seems reasonable to me.

One way this could be handled under the current model is:

Exempt a special username (not one that can be authenticated directly) from policy enforcement,
e.g. ops:privileged-debugger

Grant the special user permission to ONLY operate on the ephemeral containers subresource (it is
critical that they cannot create or update pods directly).

Grant (real) users that should have privileged debug capability the ability to impersonate the
exempt user.

I still think it's useful to document this workflow somewhere. This behavior would be a bit more intuitive if we had group exemptions (impersonate the breakglass group), but the workflow doesn't change that much as long as RBAC bindings are mostly granted to groups.

verb

I like that this proposal applies the same policy to all of the container types, keeping the default implementation simple.

I'd like to ensure that kubectl debug is useful with the default cluster configuration, ideally with a break glass option. I'm not sure yet how we'll implement that, but it's an explicit goal in this KEP and I'm confident we'll be able to work out the details before the default policy changes to baseline.

/lgtm

verb · 2021-08-27T17:13:39Z

keps/sig-auth/2579-psp-replacement/README.md

-`escalate-privilege` verb on the ephemeral containers subresource).
-
-<<[/UNRESOLVED]>>
+This means that an existing pod which is not valid according to the current


I expect CAP_SYS_PTRACE to be a common request for debugging, and I was even considering making it the default if we decide to adopt debugging profiles (#2834). Does PTRACE enable a privilege escalation?

Since ephemeral containers cannot be removed, it sounds like it's possible for a pod to fail the current enforce level even if the ephemeral container is no longer running, blocking future updates that would otherwise be allowed at this level. Is that desirable?

I think it's fine for my intended use of breaking glass to debug a pod and then deleting the pod soon afterwards, but I don't think I've thought through all the scenarios yet.

deads2k · 2021-08-31T20:07:48Z

prr and the updates for beta lgtm

/approve

/cc @enj
(don't see him already in the list)

k8s-ci-robot · 2021-08-31T20:07:49Z

@deads2k: GitHub didn't allow me to request PR reviews from the following users: mo.

Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

prr and the updates for beta lgtm

/approve

/cc @mo
(don't see him already in the list)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot · 2021-08-31T20:08:05Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, liggitt, verb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~keps/prod-readiness/OWNERS~~ [deads2k]
~~keps/sig-auth/OWNERS~~ [deads2k,liggitt]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

liggitt · 2021-09-03T15:41:14Z

/hold cancel

liggitt requested a review from tallclair August 24, 2021 16:56

k8s-ci-robot requested review from mikedanese and ritazh August 24, 2021 16:57

k8s-ci-robot added the kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory label Aug 24, 2021

liggitt mentioned this pull request Aug 24, 2021

PodSecurity admission (PodSecurityPolicy replacement) #2579

Closed

12 tasks

liggitt added 8 commits August 24, 2021 16:13

2579: windows restricted profile support

fcd63f6

2579: legacy policy lifetime

236d44a

2579: ephemeral containers

e657e28

2579: subresources

087474d

2579: psp migration

12edf13

2579: metrics

d0cacda

2579: audit

882f308

2579: clean up future work

33f195b

liggitt force-pushed the psp-beta branch from 915f2aa to d854a1a Compare August 24, 2021 21:05

k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Aug 24, 2021

liggitt changed the title ~~WIP: KEP-2579: beta / 1.23 updates~~ KEP-2579: beta / 1.23 updates Aug 24, 2021

k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 24, 2021