PodSecurity: OS based updates to restricted standard #105919
Conversation
k8s-ci-robot
added
do-not-merge/release-note-label-needed
k8s-ci-robot
added
kind/api-change
| @@ -66,6 +66,11 @@ func seccompProfileRestricted_1_19(podMetadata *metav1.ObjectMeta, podSpec *core | |||
|
|
|||
| podSeccompSet := false | |||
|
|
|||
| // Pod API validation would have failed if podOS == Windows and if secCompProfile has been set. | |||
There was a problem hiding this comment.
suggest putting this at the top of the function
staging/src/k8s.io/pod-security-admission/policy/check_capabilities_restricted.go
Outdated
Show resolved
Hide resolved
ravisantoshgudimetla
force-pushed
the
ps-restricted-updates
branch
from
b5b5e92 to
67525f0
Compare
|
The podsecurity commit looks about like what I expected One interesting thing is that we don't want to relax PodSecurity until the oldest supported kubelet honors the OS field (and will refuse to run a pod with a mismatched OS field). Otherwise, 1.24 (assuming pod OS is beta) you could submit a pod with a linux container image to a restricted namespace without setting seccompProfile or dropping capabilities by setting the pod OS field to "windows", but it could get scheduled to a 1.22 or 1.23 linux node which would happily run the pod. |
|
This PR may require API review. If so, when the changes are ready, complete the pre-review checklist and request an API review. Status of requested reviews is tracked in the API Review project. |
|
This seems to me mostly sig Auth. Removing API Machinery for the moment. |
k8s-ci-robot
added
triage/accepted
|
also exclude the allowPrivilegeEscalation restricted check for windows the pod security integration tests should be extended to exercise the minimal valid os-specific pods (linux and windows) ... that would have caught the conflicting requirement that allowPrivilegeEscalation be specified and that allowPrivilegeEscalation is disallowed in validation for windows pods |
|
@ravisantoshgudimetla code freeze for v1.23 is in a week. Please address Jordan's comments ASAP if you are targeting this for the next release. |
ravisantoshgudimetla
force-pushed
the
ps-restricted-updates
branch
from
67525f0 to
60f2b23
Compare
| @@ -57,6 +57,12 @@ func CheckAllowPrivilegeEscalation() Check { | |||
| } | |||
|
|
|||
| func allowPrivilegeEscalation_1_8(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult { | |||
| // Pod API validation would have failed if podOS == Windows and if privilegeEscalation has been set. | |||
| // We can admit the Windows pod even if privilegeEscalation has not been set. | |||
| if podSpec.OS != nil && podSpec.OS.Name == corev1.Windows { | |||
There was a problem hiding this comment.
Although nodes that don't understand pod os are technically out of the version skew window in my experience there is often a long tail of clusters running old nodes. I'm wondering if we should make these relaxed constraints a version bump. I.e. only the v1.25 version of the AllowPrivilegeEscalation check would have this? Same for the capabilities & seccomp checks.
@liggitt WDYT?
There was a problem hiding this comment.
Are you thinking that clusters in that state would have pinned their Pod Security policies to 1.24 and earlier versions? If not, I don't really see what the version bump would accomplish
There was a problem hiding this comment.
Are you concerned that pod security admission can run as a webhook?
There was a problem hiding this comment.
Yeah, then this could have a release note like
If you have nodes older than v1.23, namespaces using the restricted pod security level should version-pin to a version before v1.25
There was a problem hiding this comment.
Fair enough - I updated the release note. PTAL
There was a problem hiding this comment.
If we're going with that release note, then the policies also need to be updated to have a different implementation. Basically:
- Add a
allowPrivilegeEscalation_1_25(...)function, with this check (extract the common logic to a helper) - Update
CheckAllowPrivilegeEscalation()to add a new version with the new function
Same for Capabilities & seccomp checks.
staging/src/k8s.io/pod-security-admission/test/testdata/README.md
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/base_linux.yaml
Outdated
Show resolved
Hide resolved
| @@ -55,6 +55,8 @@ func TestPodSecurity(t *testing.T) { | |||
| defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.ProcMountType, true)() | |||
| defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.WindowsHostProcessContainers, true)() | |||
| defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.AppArmor, true)() | |||
| // Ensure IdentifyPodOS field in enabled. | |||
| defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.IdentifyPodOS, true)() | |||
There was a problem hiding this comment.
I guess we'll immediately remove these when the feature gate gets promoted to GA?
There was a problem hiding this comment.
Yes, I'll open a PR once this merges.
| @@ -57,6 +57,12 @@ func CheckAllowPrivilegeEscalation() Check { | |||
| } | |||
|
|
|||
| func allowPrivilegeEscalation_1_8(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult { | |||
| // Pod API validation would have failed if podOS == Windows and if privilegeEscalation has been set. | |||
| // We can admit the Windows pod even if privilegeEscalation has not been set. | |||
| if podSpec.OS != nil && podSpec.OS.Name == corev1.Windows { | |||
There was a problem hiding this comment.
Are you thinking that clusters in that state would have pinned their Pod Security policies to 1.24 and earlier versions? If not, I don't really see what the version bump would accomplish
ravisantoshgudimetla
force-pushed
the
ps-restricted-updates
branch
6 times, most recently
from
a98aeaf to
a6f3258
Compare
|
/retest |
staging/src/k8s.io/pod-security-admission/policy/check_allowPrivilegeEscalation.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/pod-security-admission/policy/check_allowPrivilegeEscalation_test.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/pod-security-admission/test/fixtures_test.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/pod-security-admission/test/fixtures_test.go
Outdated
Show resolved
Hide resolved
|
An interesting consequence of making the OS exemption only apply to PodSecurity 1.25+ versions is that lower versions will require securityContext fields to be set even with the OS is explicitly windows, but API validation will forbid those securityContext fields to be set when the OS is explicitly windows. That means that setting OS=windows on a pod will not be possible with a restricted PodSecurity version pinned below 1.25. I think I'm ok with that, especially since a notable reason to pin that way is if you have older nodes who don't understand pod OS and wouldn't enforce it. |
ravisantoshgudimetla
force-pushed
the
ps-restricted-updates
branch
2 times, most recently
from
89556b2 to
3e371d4
Compare
| minimalValidLinuxPods[api.LevelRestricted][api.MajorMinorVersion(1, 22)] = addLinux(restricted_1_22) | ||
| minimalValidWindowsPods[api.LevelRestricted][api.MajorMinorVersion(1, 22)] = addWindows(restricted_1_22) | ||
|
|
||
| // 1.25+: OS specific changes |
There was a problem hiding this comment.
I'd suggest capturing addWindows(restricted_1_0) in a variable with a comment, and so we have it as a starting point if any future versions add restricted requirements for windows pods
// none of the restricted requirements added between 1.0 and 1.25 apply to pods that are explicitly Windows
restricted_1_25_windows := addWindows(restricted_1_0)
...
minimalValidWindowsPods[api.LevelRestricted][api.MajorMinorVersion(1, 25)] = restricted_1_25_windows
ravisantoshgudimetla
force-pushed
the
ps-restricted-updates
branch
2 times, most recently
from
f49228f to
0eff212
Compare
ravisantoshgudimetla
force-pushed
the
ps-restricted-updates
branch
from
0eff212 to
96950f5
Compare
|
@ravisantoshgudimetla: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/retest |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: liggitt, ravisantoshgudimetla The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
What type of PR is this?
/kind feature
What this PR does / why we need it:
This PR ensures that the restricted standard is updated based on the newly added OS field to the pod spec.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: