Add a ProcMount option to the SecurityContext & AllowedProcMountTypes to PodSecurityPolicy #64283
Conversation
k8s-ci-robot
added
release-note
k8s-github-robot
added
the
kind/api-change
| @@ -271,6 +271,21 @@ func (s *simpleProvider) ValidateContainerSecurityContext(pod *api.Pod, containe | |||
| allErrs = append(allErrs, field.Invalid(fldPath.Child("privileged"), *privileged, "Privileged containers are not allowed")) | |||
| } | |||
|
|
|||
| procMount := sc.ProcMount() | |||
| allowedProcMounts := s.psp.Spec.AllowedProcMountTypes | |||
| if allowedProcMounts == nil { | |||
There was a problem hiding this comment.
Check for empty as well? (in addition to nil)
There was a problem hiding this comment.
So a length check against 0 would catch both.
|
@jessfraz we need a Feature for this right? (entry in kube_features.go) |
|
Oh thanks for reminding me I'll do that |
| @@ -586,6 +586,12 @@ message LinuxContainerSecurityContext { | |||
| // no_new_privs defines if the flag for no_new_privs should be set on the | |||
| // container. | |||
| bool no_new_privs = 11; | |||
| // masked_paths is a slice of paths that should be masked by the container | |||
| // runtime, this can be passed directly to the OCI spec. | |||
| repeated string masked_paths = 13; | |||
There was a problem hiding this comment.
run_as_group is 12 its just out of order, it got me on the compile :D
There was a problem hiding this comment.
y, i scratched my head for a few mins and realized that
There was a problem hiding this comment.
is there any guidance for runtimes on how to handle these two fields? containerd/cri@3e4cec8#diff-c656bacd6cb0fe9a7f64814b01256decR358 cri-containerd seems to handle it that way but I believe there must be guidance in the api itself, @Random-Liu @jessfraz
k8s-ci-robot
added
the
needs-rebase
k8s-ci-robot
removed
the
needs-rebase
k8s-ci-robot
added
the
needs-rebase
|
/unassign |
jessfraz
added
sig/node
k8s-ci-robot
removed
the
needs-rebase
jessfraz
force-pushed
the
ProcMountType
branch
2 times, most recently
from
ce9482c to
605cddf
Compare
jessfraz
added
the
kind/feature
k8s-github-robot
added
milestone/needs-approval
and removed
milestone/incomplete-labels
labels
k8s-ci-robot
added
the
lgtm
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dims, jessfraz, smarterclayton, tpepper The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/test pull-kubernetes-e2e-kops-aws |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
/test pull-kubernetes-e2e-kops-aws |
|
Automatic merge from submit-queue (batch tested with PRs 64283, 67910, 67803, 68100). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md. |
|
Can someone confirm this does not break support for docker 1.13? |
|
It doesn't – as long as your pod specs don't request/use the feature. According to https://github.com/kubernetes/kubernetes/pull/64283/files#diff-9a9f71a82ddbbcd0627de3aea90c6649R262 it'll be available starting with Docker API version 1.38 (which isn't even in a released version yet – see here). At that point in the code you also see that it'll fail to admit pods that ask for the feature with Docker not being at that version. |
|
@derekwaynecarr as i mentioned earlier in this PR - |
|
My bad will do next week when back from vacation
|
|
I know the PR is already in, but I'd rather not add more Docker API checking logic in kubelet itself (with dockershim being the exception). Can we move that logic out of kubelet, and just let dockershim return an error when trying to start the pod? The pod will be pending but it's no worse than what this PR currently does IMO. |
|
@jessfraz: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Docker >= 18.06 is needed for securityContext.procMount (Kubernetes >= 1.12) See kubernetes/kubernetes#64283 and docker-archive/docker-ce@67fe100 Signed-off-by: Akihiro Suda <[email protected]>
So there is a bit of a chicken and egg problem here in that the CRI runtimes will need to implement this for there to be any sort of e2e testing.
What this PR does / why we need it: This PR implements design proposal kubernetes/community#1934. This adds a ProcMount option to the SecurityContext and AllowedProcMountTypes to PodSecurityPolicy
Relies on google/cadvisor#1967
Release note:
cc @Random-Liu @mrunalp