Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add baseline check for procMount type #103340

Merged
merged 1 commit into from
Jul 1, 2021
Merged

Add baseline check for procMount type #103340

merged 1 commit into from
Jul 1, 2021

Conversation

MadhavJivrajani
Copy link
Contributor

What type of PR is this?

/kind feature

What this PR does / why we need it:

  • Will not allow if a container (init or not) sets the proc mount type to anything other than Default
  • Include fixture for proc mount baseline generation and the consequent genreated test data

Which issue(s) this PR fixes:

Fixes #103201

Special notes for your reviewer:

The integration tests currently are not passing -- I'm having some difficulty understanding why, would greatly appreciate pointers if any :)

Does this PR introduce a user-facing change?

NONE

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

- [KEP]: https://git.k8s.io/enhancements/keps/sig-auth/2579-psp-replacement

/assign @tallclair @liggitt

@k8s-ci-robot
Copy link
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. kind/feature Categorizes issue or PR as related to a new feature. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Jun 30, 2021
@MadhavJivrajani
Copy link
Contributor Author

/sig auth

@k8s-ci-robot k8s-ci-robot added sig/auth Categorizes an issue or PR as relevant to SIG Auth. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jun 30, 2021
@MadhavJivrajani
Copy link
Contributor Author

/priority important-soon
/triage accepted

@k8s-ci-robot k8s-ci-robot added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Jun 30, 2021
@k8s-ci-robot k8s-ci-robot removed the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Jun 30, 2021
@MadhavJivrajani
Copy link
Contributor Author

MadhavJivrajani commented Jun 30, 2021
edited
Loading

Command used to run integration tests:

make test-integration WHAT=./test/integration/auth GOFLAGS="-v" KUBE_TEST_ARGS="-run PodSecurity"

The tests fail for the fail category of procmount, the logs for one such failure are:

=== RUN   TestPodSecurity/podsecurity-baseline-1-0_fail_procMount
    run.go:283: 0: expected error creating {"metadata":{"name":"test","creationTimestamp":null},"spec":{"initContainers":[{"name":"initcontainer1","image":"k8s.gcr.io/pause","resources":{},"securityContext":{"procMount":""}}],"containers":[{"name":"container1","image":"k8s.gcr.io/pause","resources":{},"securityContext":{"procMount":"Unmasked"}}],"serviceAccountName":"default","securityContext":{}},"status":{}}, got none
    run.go:284: 0: expected warnings creating {"metadata":{"creationTimestamp":null,"labels":{"test":"true"}},"spec":{"initContainers":[{"name":"initcontainer1","image":"k8s.gcr.io/pause","resources":{},"securityContext":{"procMount":""}}],"containers":[{"name":"container1","image":"k8s.gcr.io/pause","resources":{},"securityContext":{"procMount":"Unmasked"}}],"securityContext":{}},"status":{}}, got none
    run.go:283: 1: expected error creating {"metadata":{"name":"test","creationTimestamp":null},"spec":{"initContainers":[{"name":"initcontainer1","image":"k8s.gcr.io/pause","resources":{},"securityContext":{"procMount":"Unmasked"}}],"containers":[{"name":"container1","image":"k8s.gcr.io/pause","resources":{},"securityContext":{"procMount":""}}],"serviceAccountName":"default","securityContext":{}},"status":{}}, got none
    run.go:284: 1: expected warnings creating {"metadata":{"creationTimestamp":null,"labels":{"test":"true"}},"spec":{"initContainers":[{"name":"initcontainer1","image":"k8s.gcr.io/pause","resources":{},"securityContext":{"procMount":"Unmasked"}}],"containers":[{"name":"container1","image":"k8s.gcr.io/pause","resources":{},"securityContext":{"procMount":""}}],"securityContext":{}},"status":{}}, got none

After adding logs inside the visitor function to see what the proc mount types were being worked with for each container in the pod spec, I get the following:

2021/06/30 15:55:19 Container name: container1 proc mount: Default
2021/06/30 15:55:19 Container name: container1 proc mount: Default
    run.go:283: 0: expected error creating {"metadata":{"name":"test","creationTimestamp":null},"spec":{"initContainers":[{"name":"initcontainer1","image":"k8s.gcr.io/pause","resources":{},"securityContext":{"allowPrivilegeEscalation":false}}],"containers":[{"name":"container1","image":"k8s.gcr.io/pause","resources":{},"securityContext":{"allowPrivilegeEscalation":false,"procMount":"Unmasked"}}],"serviceAccountName":"default","securityContext":{"runAsNonRoot":true}},"status":{}}, got none
2021/06/30 15:55:19 Container name: container1 proc mount: Default
    run.go:284: 0: expected warnings creating {"metadata":{"creationTimestamp":null,"labels":{"test":"true"}},"spec":{"initContainers":[{"name":"initcontainer1","image":"k8s.gcr.io/pause","resources":{},"securityContext":{"allowPrivilegeEscalation":false}}],"containers":[{"name":"container1","image":"k8s.gcr.io/pause","resources":{},"securityContext":{"allowPrivilegeEscalation":false,"procMount":"Unmasked"}}],"securityContext":{"runAsNonRoot":true}},"status":{}}, got none
2021/06/30 15:55:19 Container name: initcontainer1 proc mount: Default
2021/06/30 15:55:19 Container name: initcontainer1 proc mount: Default
    run.go:283: 1: expected error creating {"metadata":{"name":"test","creationTimestamp":null},"spec":{"initContainers":[{"name":"initcontainer1","image":"k8s.gcr.io/pause","resources":{},"securityContext":{"allowPrivilegeEscalation":false,"procMount":"Unmasked"}}],"containers":[{"name":"container1","image":"k8s.gcr.io/pause","resources":{},"securityContext":{"allowPrivilegeEscalation":false}}],"serviceAccountName":"default","securityContext":{"runAsNonRoot":true}},"status":{}}, got none
2021/06/30 15:55:19 Container name: initcontainer1 proc mount: Default
    run.go:284: 1: expected warnings creating {"metadata":{"creationTimestamp":null,"labels":{"test":"true"}},"spec":{"initContainers":[{"name":"initcontainer1","image":"k8s.gcr.io/pause","resources":{},"securityContext":{"allowPrivilegeEscalation":false,"procMount":"Unmasked"}}],"containers":[{"name":"container1","image":"k8s.gcr.io/pause","resources":{},"securityContext":{"allowPrivilegeEscalation":false}}],"securityContext":{"runAsNonRoot":true}},"status":{}}, got none

I noticed that even if the spec that is logged out as part of the error message shows the container initcontainer has proc mount Unmasked, the logs that were added later show that the src mount type is still Default

liggitt
liggitt reviewed Jun 30, 2021
View reviewed changes
Copy link
Member

@liggitt liggitt left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good overall, thanks for the PR. Just a few tweaks. Go ahead and squash updates to a single commit.

@MadhavJivrajani
Copy link
Contributor Author

Thank you @liggitt! I've made the changes :)

@MadhavJivrajani MadhavJivrajani marked this pull request as ready for review June 30, 2021 15:20
@MadhavJivrajani MadhavJivrajani changed the title [WIP] Add baseline check for procMount type Add baseline check for procMount type Jun 30, 2021
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 30, 2021
@liggitt liggitt mentioned this pull request Jun 30, 2021
Merged
@MadhavJivrajani
Copy link
Contributor Author

/hold
for #103365 to be merged

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 30, 2021
@MadhavJivrajani
Add baseline check for procMount type
f0ffba7 
- Will not allow if a container (init or not) sets the proc mount type to anything other than `Default`
- Include fixture for proc mount baseline generation and the consequent genreated test data

Signed-off-by: Madhav Jivrajani <[email protected]>
@MadhavJivrajani
Copy link
Contributor Author

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 1, 2021
@MadhavJivrajani MadhavJivrajani requested a review from liggitt July 1, 2021 14:33
@liggitt
Copy link
Member

liggitt commented Jul 1, 2021

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 1, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, MadhavJivrajani

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 1, 2021
@k8s-ci-robot k8s-ci-robot merged commit e513598 into kubernetes:master Jul 1, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.22 milestone Jul 1, 2021
@MadhavJivrajani MadhavJivrajani deleted the proc-mount-baseline branch July 1, 2021 16:53
@liggitt liggitt mentioned this pull request Jul 10, 2021
Closed
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@krmayankk krmayankk Awaiting requested review from krmayankk

@liggitt liggitt Awaiting requested review from liggitt

Assignees

@liggitt liggitt

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note-none Denotes a PR that doesn't merit a release note. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
v1.22
Development

Successfully merging this pull request may close these issues.

[PodSecurity] baseline - procMount type
4 participants
@MadhavJivrajani @k8s-ci-robot @liggitt @tallclair