Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PodSecurity] Add privileged containers baseline check #103364

Merged
merged 1 commit into from
Jun 30, 2021
Merged

[PodSecurity] Add privileged containers baseline check #103364

merged 1 commit into from
Jun 30, 2021

Conversation

aramase
Copy link
Member

@aramase aramase commented Jun 30, 2021

Signed-off-by: Anish Ramasekar [email protected]

What type of PR is this?

/kind feature

What this PR does / why we need it:

  • Adds baseline check for privileged containers

Which issue(s) this PR fixes:

Fixes #103196

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

[KEP] https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2579-psp-replacement

@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Jun 30, 2021
@aramase
Copy link
Member Author

aramase commented Jun 30, 2021

/release-note-none

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Jun 30, 2021
@k8s-ci-robot k8s-ci-robot requested review from deads2k and liggitt June 30, 2021 15:23
@k8s-ci-robot k8s-ci-robot added sig/auth Categorizes an issue or PR as relevant to SIG Auth. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jun 30, 2021
@liggitt liggitt self-assigned this Jun 30, 2021
@aramase aramase force-pushed the check-privileged branch 2 times, most recently from 83c885a to 05eb775 Compare June 30, 2021 16:26
tallclair
tallclair reviewed Jun 30, 2021
View reviewed changes
Copy link
Member

@tallclair tallclair left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good, just a couple minor comments.

@aramase aramase force-pushed the check-privileged branch from 05eb775 to f8c4880 Compare June 30, 2021 16:56
@aramase
Copy link
Member Author

aramase commented Jun 30, 2021

@tallclair Thank you for the review. Updated the forbidden reason and updated fixtures based on the comments.

liggitt
liggitt reviewed Jun 30, 2021
View reviewed changes
Copy link
Member

@liggitt liggitt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one comment on the testcases, then lgtm

@liggitt
Copy link
Member

liggitt commented Jun 30, 2021
edited
Loading

oh, looks like you also need to update the integration test in test/integration/auth/podsecurity_test.go to pass --allow-privileged=true when starting the server to even get past validation to exercise this admission check for privileged pods

@liggitt
Copy link
Member

liggitt commented Jun 30, 2021

aaaand hack/update-gofmt.sh needs to be run :)

we serve the CI robots, clearly :)

@aramase aramase force-pushed the check-privileged branch from f8c4880 to e07f1bb Compare June 30, 2021 18:03
@k8s-ci-robot k8s-ci-robot added area/test sig/testing Categorizes an issue or PR as relevant to SIG Testing. labels Jun 30, 2021
@aramase
Copy link
Member Author

aramase commented Jun 30, 2021

oh, looks like you also need to update the integration test in test/integration/auth/podsecurity_test.go to pass --allow-privileged=true when starting the server to even get past validation to exercise this admission check for privileged pods

@liggitt Thanks for the pointer! Updated it.

@liggitt
Copy link
Member

liggitt commented Jun 30, 2021

/lgtm
/approve

might need a rebase if #103365 beats it in

@k8s-ci-robot k8s-ci-robot added lgtm "Looks good to me", indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Jun 30, 2021
@aramase aramase force-pushed the check-privileged branch from e07f1bb to f8b9a36 Compare June 30, 2021 19:38
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 30, 2021
@aramase
Copy link
Member Author

aramase commented Jun 30, 2021
edited
Loading

@liggitt Pushed a change to set securityContext.AllowPrivilegeEscalation=true in the fixtures to fix

cannot set `allowPrivilegeEscalation` to false and `privileged` to true

integration test error.

I did see this as well in the last test run: Forbidden: disallowed by cluster policy. Looking into that now.

@liggitt
Copy link
Member

liggitt commented Jun 30, 2021

I did see this as well in the last test run: Forbidden: disallowed by cluster policy. Looking into that now.

that should be fixed by #103364 (comment)

@aramase
Copy link
Member Author

aramase commented Jun 30, 2021

that should be fixed by #103364 (comment)

The last test run failed with that flag set in the apiserver.

@liggitt
Copy link
Member

liggitt commented Jun 30, 2021

The last test run failed with that flag set in the apiserver.

are you sure? checking this branch out locally, the integration test passes once I made sure AllowPrivilegeEscalation was nil in these testcases

@aramase aramase force-pushed the check-privileged branch 3 times, most recently from b320c89 to df1ac6a Compare June 30, 2021 20:12
@aramase
Copy link
Member Author

aramase commented Jun 30, 2021

are you sure? checking this branch out locally, the integration test passes once I made sure AllowPrivilegeEscalation was nil in these testcases

This run was with the flags as it ran after the lgtm:
https://prow.k8s.io/view/gs/kubernetes-jenkins/pr-logs/pull/103364/pull-kubernetes-integration/1410297911975088128.

I set AllowPrivilegeEscalation to nil as you suggested and ran the tests locally. The tests passed.

@liggitt
Copy link
Member

liggitt commented Jun 30, 2021

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 30, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aramase, liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@liggitt
Copy link
Member

liggitt commented Jun 30, 2021

/triage accepted
/priority important-soon

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Jun 30, 2021
@liggitt
Copy link
Member

liggitt commented Jun 30, 2021
edited
Loading

are you sure? checking this branch out locally, the integration test passes once I made sure AllowPrivilegeEscalation was nil in these testcases

This run was with the flags as it ran after the lgtm:
https://prow.k8s.io/view/gs/kubernetes-jenkins/pr-logs/pull/103364/pull-kubernetes-integration/1410297911975088128.

I set AllowPrivilegeEscalation to nil as you suggested and ran the tests locally. The tests passed.

figured it out... --allow-privileged=true plumbs to setting a global value, but it only sets the first time

other servers in the integration test package initialized this already, so it was ineffective when running all tests in the package

to ensure the global is set the way we want, in addition to --allow-privileged=true, do this in the test setup:

+       "k8s.io/kubernetes/pkg/capabilities"
...
+       // ensure the global is set to allow privileged containers
+       capabilities.SetForTests(capabilities.Capabilities{AllowPrivileged: true})

@aramase aramase force-pushed the check-privileged branch from df1ac6a to 5bd3334 Compare June 30, 2021 20:39
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 30, 2021
@aramase
Copy link
Member Author

aramase commented Jun 30, 2021

figured it out... --allow-privileged=true plumbs to setting a global value, but it only sets the first time

Ah, gotcha! Added capabilities.SetForTests in the tests.

@liggitt
Copy link
Member

liggitt commented Jun 30, 2021

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 30, 2021
@k8s-ci-robot k8s-ci-robot merged commit 642f42d into kubernetes:master Jun 30, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.22 milestone Jun 30, 2021
@aramase aramase deleted the check-privileged branch July 1, 2021 03:09
@liggitt liggitt mentioned this pull request Jul 10, 2021
Closed
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liggitt liggitt liggitt left review comments

@tallclair tallclair tallclair left review comments

@deads2k deads2k Awaiting requested review from deads2k

Assignees

@liggitt liggitt

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note-none Denotes a PR that doesn't merit a release note. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
v1.22
Development

Successfully merging this pull request may close these issues.

[PodSecurity] baseline - privileged containers
4 participants
@aramase @liggitt @k8s-ci-robot @tallclair