-
Notifications
You must be signed in to change notification settings - Fork 40k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PSP admission #24600
PSP admission #24600
Conversation
Nice even number. Auspicious! |
fyi @ericchiang |
I'd like to have it be possible to inject new strategies via interface so On Thu, Apr 21, 2016 at 5:47 PM, Eric Tune notifications@github.com wrote:
|
I'm not following this one yet. Why would we inject the strategies that a PSP uses when it's configured on the PSP object? Or is that not what you're referring to? |
Inject into the admission controller custom strategies for the
constants on each field - ie RunAsRange should be implemented as an
interface so Openshift can have the namespace handler without core
Kube code changing. Also, I want to experiment with future constants
/ expressions without having to refactor all of PSP. The PSP
admission controller should be a skeleton that enforcement policies
are injected into.
|
Ok, getting clearer. The field strategies are implementing a field based interface because the return values are field dependent. I think we can abstract it a bit more though. I'll give it a go. |
I feel like the interface selection should be opaque - ask a list of On Apr 22, 2016, at 8:49 AM, Paul Weil notifications@github.com wrote: ie RunAsRange should be implemented as an Ok, getting clearer. The field strategies are implementing a field based — |
@smarterclayton - last commit abstracts out the creation of strategies that the provider uses by passing in a strategy factory. This can be used downstream to create strategies based on namespace settings. PTAL and let me know what you think. |
API changes in 6f320 look good, but do you know why there are all the generated code changes around versioned.Watch? Doesn't seem like your non-generated code changes would cause that? |
aa42e7 looks good. |
supplementalGroupsField = "supplementalGroups" | ||
) | ||
|
||
// simpleProvider is the default implementation of SecurityContextConstraintsProvider |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is just called Provider now?
looks suspicious. I'll investigate |
// ensure we implement the interface correctly. | ||
var _ Provider = &simpleProvider{} | ||
|
||
// NewSimpleProvider creates a new SecurityContextConstraintsProvider instance. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is just called "Provider" now not "SecurityContextConstraintsProvider".
// 2. Create the providers, includes setting pre-allocated values if necessary. | ||
// 3. Try to generate and validate a PSP with providers. If we find one then admit the pod | ||
// with the validated PSP. If we don't find any reject the pod and give all errors from the | ||
// failed attempts. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How do we bootstrap a cluster if there are no PSPs initially? Does that mean all pods are rejected? Or does an admin need a hardcoded override? Or should lack of any PSP be interpreted as no PSP required. How does this work on OS and how do you see it working here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In OpenShift we bootstrap infrastructure policies on cluster start and also provide reconciliation commands that can be used during the upgrade process. This is how our default policies and grants are created.
Here, we can either choose to add a bootstrapping process or make the assumption that if no policies exist that none will be enforced which is backwards compatible. @smarterclayton WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I went ahead and made this a configuration option for the plugin since there was no decision.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That seems fine.
rebased |
rebased |
GCE e2e build/test passed for commit 65c8a1f. |
Automatic merge from submit-queue |
Still working on removing the non-relevant parts of the tests but I wanted to get this open to start soliciting feedback.
@liggitt @pmorie - this is the simple implementation requested that assumes all PSPs should be checked for each requests. It is a slimmed down version of our SCC admission controller
@erictune @smarterclayton