Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Pod Security] Restricted volume type check #103323

Merged
merged 1 commit into from
Jul 2, 2021
Merged

[Pod Security] Restricted volume type check #103323

merged 1 commit into from
Jul 2, 2021

Conversation

sejr
Copy link
Contributor

@sejr sejr commented Jun 30, 2021
edited
Loading

What type of PR is this?

/kind feature

What this PR does / why we need it:

This PR adds a restricted policy check for volume types.

Which issue(s) this PR fixes:

Fixes #103203

Special notes for your reviewer:

If it doesn't already exist, I'm very tempted to add some kind of test utility functions for generating valid specs for these platform-specific volume types that have differing validation requirements.

Does this PR introduce a user-facing change?

NONE

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

- [KEP]: https://git.k8s.io/enhancements/keps/sig-auth/2579-psp-replacement

/sig auth security

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/feature Categorizes issue or PR as related to a new feature. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/security Categorizes an issue or PR as relevant to SIG Security. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jun 30, 2021
@k8s-ci-robot
Copy link
Contributor

@sejr: This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jun 30, 2021
@k8s-ci-robot
Copy link
Contributor

Hi @sejr. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@sejr sejr force-pushed the podsecurity-restricted-volumes branch from a327915 to 0ce0346 Compare June 30, 2021 03:05
@k8s-ci-robot k8s-ci-robot added area/test sig/network Categorizes an issue or PR as relevant to SIG Network. sig/node Categorizes an issue or PR as relevant to SIG Node. sig/testing Categorizes an issue or PR as relevant to SIG Testing. labels Jun 30, 2021
@sejr sejr force-pushed the podsecurity-restricted-volumes branch from 0ce0346 to b089e19 Compare June 30, 2021 03:07
@liggitt liggitt self-assigned this Jun 30, 2021
@liggitt
Copy link
Member

liggitt commented Jun 30, 2021

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jun 30, 2021
liggitt
liggitt reviewed Jun 30, 2021
View reviewed changes
staging/src/k8s.io/pod-security-admission/test/fixtures_restrictedVolumes.go
},
},
},
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add a CSI volume to the set of volumes in the pass testcase

add a TODO to add an Ephemeral volume to the set of volumes in the pass testcase once the Ephemeral feature graduates

Copy link
Member

@liggitt liggitt Jul 1, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh, the inline CSI volume source requires the CSIInlineVolume feature gate... I hadn't realized that hadn't graduated yet. Drop this from the pass fixture and add a TODO to add it back once the CSIInlineVolume feature graduates to GA

@sejr sejr force-pushed the podsecurity-restricted-volumes branch from b089e19 to f5e9c14 Compare June 30, 2021 23:02
@liggitt
Copy link
Member

liggitt commented Jul 1, 2021

/lgtm
/approve
/retest

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 1, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, sejr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 1, 2021
@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

1 similar comment
@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@liggitt
Copy link
Member

liggitt commented Jul 1, 2021

/hold

the CSI volume in the "pass" fixture is not valid:

=== RUN TestPodSecurityGAOnly/podsecurity-restricted-1-0_pass_restrictedVolumes I0701 12:21:56.029294 121966 httplog.go:104] "HTTP" verb="POST" URI="/api/v1/namespaces/podsecurity-restricted-1-0/pods?dryRun=All" latency="1.85214ms" userAgent="auth.test/v0.0.0 (linux/amd64) kubernetes/$Format" audit-ID="a35c45c8-290d-496f-909c-449598472ce3" srcIP="127.0.0.1:43432" resp=422 run.go:283: 0: unexpected error creating {"metadata":{"name":"test","creationTimestamp":null},"spec":{"volumes":[{"name":"volume-configmap","configMap":{"name":"volume-configmap-test"}},{"name":"volume-downwardapi","downwardAPI":{"items":[{"path":"labels","fieldRef":{"fieldPath":"metadata.labels"}}]}},{"name":"volume-emptydir","emptyDir":{}},{"name":"volume-pvc","persistentVolumeClaim":{"claimName":"test"}},{"name":"volume-projects","projected":{"sources":null}},{"name":"volume-secret","secret":{"secretName":"test"}},{"name":"volume-csi","csi":{"driver":"test"}}],"initContainers":[{"name":"initcontainer1","image":"k8s.gcr.io/pause","resources":{}}],"containers":[{"name":"container1","image":"k8s.gcr.io/pause","resources":{}}],"serviceAccountName":"default","securityContext":{"runAsNonRoot":true}},"status":{}}: Pod "test" is invalid: spec.volumes[6]: Required value: must specify a volume type

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 1, 2021
@sejr sejr force-pushed the podsecurity-restricted-volumes branch from f5e9c14 to 6335a9f Compare July 1, 2021 19:29
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 1, 2021
@sejr
podsecurity: add restricted volume type check
13a1804 
podsecurity: restricted volumes check
@sejr sejr force-pushed the podsecurity-restricted-volumes branch from 6335a9f to 13a1804 Compare July 1, 2021 21:52
@liggitt
Copy link
Member

liggitt commented Jul 1, 2021

/lgtm
/hold cancel

@k8s-ci-robot k8s-ci-robot added lgtm "Looks good to me", indicates that a PR is ready to be merged. and removed do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. labels Jul 1, 2021
@sejr
Copy link
Contributor Author

sejr commented Jul 1, 2021

/retest

@k8s-ci-robot k8s-ci-robot merged commit 8fb6747 into kubernetes:master Jul 2, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.22 milestone Jul 2, 2021
@sejr sejr deleted the podsecurity-restricted-volumes branch July 2, 2021 01:19
@liggitt liggitt mentioned this pull request Jul 10, 2021
Closed
12 tasks
@sejr sejr mentioned this pull request Jul 27, 2021
Closed
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liggitt liggitt liggitt left review comments

@deads2k deads2k Awaiting requested review from deads2k

@krmayankk krmayankk Awaiting requested review from krmayankk

Assignees

@liggitt liggitt

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note-none Denotes a PR that doesn't merit a release note. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/network Categorizes an issue or PR as relevant to SIG Network. sig/node Categorizes an issue or PR as relevant to SIG Node. sig/security Categorizes an issue or PR as relevant to SIG Security. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
SIG Node CI/Test Board
Archived in project
SIG Node: code and documentation PRs
Archived in project
Milestone
v1.22
Development

Successfully merging this pull request may close these issues.

[PodSecurity] restricted - volume types
4 participants
@sejr @k8s-ci-robot @liggitt @fejta-bot