Add support for enforcing read only host paths in PSPs. #58647
Conversation
k8s-ci-robot
added
do-not-merge/work-in-progress
k8s-github-robot
added
the
kind/api-change
jhorwit2
force-pushed
the
for/upstream/master/hostpath-psp-readonly
branch
from
7aecff0 to
d4acf52
Compare
pkg/apis/extensions/types.go
Outdated
| @@ -878,6 +878,14 @@ type AllowedHostPath struct { | |||
| // `/foo` would allow `/foo`, `/foo/` and `/foo/bar` | |||
| // `/foo` would not allow `/food` or `/etc/foo` | |||
| PathPrefix string | |||
|
|
|||
| // ReadOnly when set to true will force volumes matching the path prefix to run as read-only. | |||
There was a problem hiding this comment.
will force volumes matching the path prefix to run as read-only
I don't think this should modify pod specs, which is what that sounds like.
Could be better phrased as "when set to true, will allow host volumes matching the pathPrefix if all volume mounts are readOnly", since you could have the following:
allowedHostPaths:[
{pathPrefix:"/foo", readOnly:true},
{pathPrefix:"/foo/bar", readOnly:false}
]
which would allow a writeable /foo/bar mount
There was a problem hiding this comment.
Ah, good catch. I copied the comment style from something does does modify the spec.
| } | ||
|
|
||
| if allowedHostPath.ReadOnly { | ||
| for cIdx, c := range pod.Spec.InitContainers { |
There was a problem hiding this comment.
this isn't quite right. see the example at #58647 (comment)
make sure there's a testcase for the overlapping-allowedHostPaths-with-different-readonly-settings scenario
There was a problem hiding this comment.
That link isn't going any where specific for me.
There was a problem hiding this comment.
weird, was just a link to the comment above
There was a problem hiding this comment.
Mind looking at the tests I added on the 10th? Is it still outstanding? I thought I covered this there.
jhorwit2
force-pushed
the
for/upstream/master/hostpath-psp-readonly
branch
from
d4acf52 to
d09eff9
Compare
jhorwit2
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
@liggitt PTAL. I fixed the overlapping issue and added some test cases to cover it. |
pkg/apis/extensions/types.go
Outdated
| @@ -878,6 +878,14 @@ type AllowedHostPath struct { | |||
| // `/foo` would allow `/foo`, `/foo/` and `/foo/bar` | |||
| // `/foo` would not allow `/food` or `/etc/foo` | |||
| PathPrefix string | |||
|
|
|||
| // ReadOnly when set to true, will allow host volumes matching the pathPrefix if all volume mounts are readOnly. | |||
| // If the container specifically requests to run with a non-read only volume that matches the path prefix | |||
There was a problem hiding this comment.
If the container specifically requests to run with a non-read only volume that matches the path prefix then the PSP should deny the pod
this isn't accurate... another allowsHostVolume could allow it
There was a problem hiding this comment.
I'd probably just say when set to true, will allow host volumes matching the pathPrefix if all volume mounts are readOnly
| if len(s.psp.Spec.AllowedHostPaths) == 0 { | ||
| // If no allowed paths are specified then allow any path | ||
| // since host path volumes are allowed. | ||
| continue |
There was a problem hiding this comment.
continueing in "success" cases assumes we'll never add other things that need checking later on in the loop. keep this structured to continue only to short-circuit the current volume checking in case of an error
There was a problem hiding this comment.
@liggitt this is keeping the same logic that we had in the util method before. I was trying to decrease the number of changes required to make this change. You'd prefer i set a variable then below check it before emitting every error?
There was a problem hiding this comment.
I think what Liggitt is saying is that you're now continueing over stuff like flex volume validation further on. I'm personally confused why len(s.psp.Spec.AllowedHostPaths) == 0 would cause you to skip the flex volume checks.
Maybe just change the above if statement to:
if fsType == extensions.HostPath && len(s.psp.Spec.AllowedHostPaths) > 1 {
// ...
}There was a problem hiding this comment.
@ericchiang It would never skip flex volume checks if the fs type was flex volume because a volume can't be two types at the same time. So if it reached the existing allowed host path check then it must be a host volume and nothing else.
if fsType == extensions.HostPath {
if len(s.psp.Spec.AllowedHostPaths) == 0 {
// If no allowed paths are specified then allow any path
// since host path volumes are allowed.
continue
}There was a problem hiding this comment.
You'd prefer i set a variable then below check it before emitting every error?
No, I'd prefer to only continue early in cases where we added an error. The current change adds continue statements in non-error cases.
It would never skip flex volume checks if the fs type was flex volume because a volume can't be two types at the same time. So if it reached the existing allowed host path check then it must be a host volume and nothing else.
Continuing early in non-error cases assumes all other checks will be specific to other volume types, which is an assumption I'm trying to avoid adding here.
I was trying to decrease the number of changes required to make this change.
I do agree on minimal change... I think it can be contained entirely to this block and the AllowsHostVolumePath helper:
--- a/pkg/security/podsecuritypolicy/provider.go
+++ b/pkg/security/podsecuritypolicy/provider.go
@@ -229,10 +229,27 @@ func (s *simpleProvider) ValidatePodSecurityContext(pod *api.Pod, fldPath *field
}
if fsType == extensions.HostPath {
- if !psputil.AllowsHostVolumePath(s.psp, v.HostPath.Path) {
+ pathIsAllowed, mustBeReadOnly := psputil.AllowsHostVolumePath(s.psp, v.HostPath.Path)
+ if !pathIsAllowed {
allErrs = append(allErrs, field.Invalid(
field.NewPath("spec", "volumes").Index(i).Child("hostPath", "pathPrefix"), v.HostPath.Path,
fmt.Sprintf("is not allowed to be used")))
+ } else if mustBeReadOnly {
+ // Ensure all the VolumeMounts that use this volume are readonly
+ for i, c := range pod.Spec.InitContainers {
+ for j, cv := range c.VolumeMounts {
+ if cv.Name == v.Name && !cv.ReadOnly {
+ allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "initContainers").Index(i).Child("volumeMounts").Index(j).Child("readOnly"), cv.ReadOnly, "must be read-only"))
+ }
+ }
+ }
+ for i, c := range pod.Spec.Containers {
+ for j, cv := range c.VolumeMounts {
+ if cv.Name == v.Name && !cv.ReadOnly {
+ allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "containers").Index(i).Child("volumeMounts").Index(j).Child("readOnly"), cv.ReadOnly, "must be read-only"))
+ }
+ }
+ }
}
}--- a/pkg/security/podsecuritypolicy/util/util.go
+++ b/pkg/security/podsecuritypolicy/util/util.go
@@ -173,25 +173,29 @@ func GroupFallsInRange(id int64, rng extensions.GroupIDRange) bool {
return id >= rng.Min && id <= rng.Max
}
-// AllowsHostVolumePath is a utility for checking if a PSP allows the host volume path.
-// This only checks the path. You should still check to make sure the host volume fs type is allowed.
-func AllowsHostVolumePath(psp *extensions.PodSecurityPolicy, hostPath string) bool {
+// AllowsHostVolumePath is a utility for checking if a PSP allows the host volume path, and whether volume mounts
+// that use the path are required to be readonly. This only checks the path. You should still check to make sure the host volume fs type is allowed.
+func AllowsHostVolumePath(psp *extensions.PodSecurityPolicy, hostPath string) (pathIsAllowed, mustBeReadOnly bool) {
if psp == nil {
- return false
+ return false, false
}
// If no allowed paths are specified then allow any path
if len(psp.Spec.AllowedHostPaths) == 0 {
- return true
+ return true, false
}
for _, allowedPath := range psp.Spec.AllowedHostPaths {
if hasPathPrefix(hostPath, allowedPath.PathPrefix) {
- return true
+ if !allowedPath.ReadOnly {
+ return true, false
+ }
+ pathIsAllowed = true
+ mustBeReadOnly = true
}
}
- return false
+ return pathIsAllowed, mustBeReadOnly
}
k8s-ci-robot
added
the
needs-rebase
jhorwit2
force-pushed
the
for/upstream/master/hostpath-psp-readonly
branch
from
d09eff9 to
91beaa8
Compare
k8s-ci-robot
added
size/XL
jhorwit2
force-pushed
the
for/upstream/master/hostpath-psp-readonly
branch
3 times, most recently
from
9972e5e to
226fd5f
Compare
|
/assign @liggitt |
pkg/apis/extensions/types.go
Outdated
| @@ -773,3 +773,277 @@ type ReplicaSetCondition struct { | |||
| // +optional | |||
| Message string | |||
| } | |||
|
|
|||
| // +genclient | |||
There was a problem hiding this comment.
this got added in this commit, then removed in the next. please squash or fixup to avoid noise
|
/kind feature |
k8s-ci-robot
added
the
kind/feature
|
/priority important-soon |
k8s-ci-robot
added
the
priority/important-soon
|
oh, I still think we should put language in the PSP doc (either on the
|
|
[MILESTONENOTIFIER] Milestone Pull Request: Up-to-date for process Pull Request Labels
|
|
I somehow missed this PR until today, so I apologize in advance for the late feedback. AllowedPaths isn't really useful unless ALL paths are marked readonly (as @liggitt referred to above). Also, it might be useful to have this option for other volume types as well. Given that, what do you think of this alternative API: This could either be a separate whitelist from WDYT? |
|
I'm not sure about pinning readonly restrictions to all volumes of a specific type. Are the reasons that require them all to be readonly mostly unique to hostPath? If we anticipate being able to limit hostPath volumes to particular types (like socket) and pinned paths (not just prefixes) in the future, the per-hostPath construct makes more sense |
|
/retest |
|
lgtm from storage perspective. I agree with @liggitt that requiring volumes to be read only for other volume types may not be as useful. Especially with PVCs being namespaced. |
|
/test pull-kubernetes-e2e-kops-aws |
|
/retest |
@tallclair WDYT? |
jhorwit2
force-pushed
the
for/upstream/master/hostpath-psp-readonly
branch
from
89cf9d8 to
607b236
Compare
|
Ok, I'm convinced. This LGTM. |
|
docs in kubernetes/website#8898 |
jhorwit2
force-pushed
the
for/upstream/master/hostpath-psp-readonly
branch
from
607b236 to
c7fbcf3
Compare
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jhorwit2, liggitt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/retest |
|
Automatic merge from submit-queue (batch tested with PRs 64344, 64709, 64717, 63631, 58647). If you want to cherry-pick this change to another branch, please follow the instructions here. |
What this PR does / why we need it:
This PR adds support for the PSP to enforce that host paths are readonly.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #57371
xref kubernetes/enhancements#5
Special notes for your reviewer:
Release note:
/cc @ericchiang @liggitt