Remove the SecurityContextDeny admission controller so that the testing environment matches the production environment #21004
Conversation
|
Labelling this PR as size/XS |
k8s-github-robot
added
the
size/XS
|
LGTM |
|
GCE e2e test build/test passed for commit d602088db8f757a741075c4c9e2e14acdd961df8. |
|
ping @ArtfulCoder |
ArtfulCoder
added
the
lgtm
|
@k8s-bot test this Tests are more than 48 hours old. Re-running tests. |
|
GCE e2e test build/test passed for commit d602088db8f757a741075c4c9e2e14acdd961df8. |
|
@k8s-bot test this Tests are more than 48 hours old. Re-running tests. |
|
GCE e2e test build/test passed for commit d602088db8f757a741075c4c9e2e14acdd961df8. |
|
The admission controller does not check if the pod spec has set pod.Spec.SecurityContext.Privileged == True. As a result, my test which explicity tests whether Privileged pod can be created, succeeds, even though the SecurityContextDeny was set on ApiServer. I believe it might be a bug in the SecurityContext Admission control that we don't verify whether Privileged is set or not |
|
Actually, there is a separate flag for allow-privileged, probably for historical reasons and hence it is not part of the SecurityContextDeny admission control. So that should solve the mystery of why privileged pods are allowed even with SecurityContextDeny. |
|
Please also do a search for SecurityContextDeny. It appears in lots of places. cc @pweil- |
|
@ArtfulCoder What SecurityPolicyDeny does is described here: The comment says: |
|
And we want to allow privileged pods by default, in case that wasn't clear. The feature should be controlled by PodSecurityPolicy instead, in most cases: |
|
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
|
GCE e2e build/test failed for commit d602088db8f757a741075c4c9e2e14acdd961df8. |
|
@bgrant0607 Note the use of "etc" in the document :)) It is super confusing to have Admission Control (securitycontextdeny), PodSecurityPolicy and on top, another flag --allow-privileged, with seemingly overlapping responsibilities. |
|
@ArtfulCoder I agree. I don't think we need SecurityContextDeny at this point. I was suggesting removing it more broadly from the defaults: from hyperkube, vagrant, kubemark, centos, ubuntu, HA config, etc. Openshift uses SecurityContextConstraint instead: |
|
+1 to removing this. It was initially implemented to prevent usage of the features but now that they've had plenty of burn in time I don't think it's serving a purpose. In the future a PSP admission controller will serve this purpose. Also it would close: #16456 |
|
SGTM. On Tue, Feb 23, 2016 at 11:45 AM, Paul Weil notifications@github.com
|
|
+1 |
|
GCE e2e build/test failed for commit d602088db8f757a741075c4c9e2e14acdd961df8. |
testing environment matches the production environment. This was removed from config-default.sh in kubernetes#16986.
roberthbailey
force-pushed
the
gce-e2e-admission-controllers
branch
from
d602088 to
a238d90
Compare
|
PR changed after LGTM, removing LGTM. |
k8s-github-robot
removed
the
lgtm
|
GCE e2e test build/test passed for commit a238d90. |
ArtfulCoder
added
the
lgtm
…llers Remove the SecurityContextDeny admission controller so that the testing environment matches the production environment
ghost
mentioned this pull request
It's enabled by default, compare #21004.
This was removed from config-default.sh in #16986.
Fixes #18851
/cc @pmorie @vishh @ArtfulCoder