Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PSP admission #24600

Merged
merged 6 commits into from
May 12, 2016
Merged

PSP admission #24600

merged 6 commits into from
May 12, 2016

Conversation

pweil-
Copy link
Contributor

@pweil- pweil- commented Apr 21, 2016

Update PodSecurityPolicy types and add admission controller that could enforce them

Still working on removing the non-relevant parts of the tests but I wanted to get this open to start soliciting feedback.

  • bring PSP up to date with any new features we've added to SCC for discussion
  • create admission controller that is a pared down version of SCC (no ns based strategies, no user/groups/service account permissioning)
  • fix tests

@liggitt @pmorie - this is the simple implementation requested that assumes all PSPs should be checked for each requests. It is a slimmed down version of our SCC admission controller

@erictune @smarterclayton

@pmorie
Copy link
Member

pmorie commented Apr 21, 2016

Nice even number. Auspicious!

@k8s-github-robot k8s-github-robot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. release-note-label-needed labels Apr 21, 2016
@thockin thockin assigned erictune and unassigned thockin Apr 21, 2016
@erictune
Copy link
Member

fyi @ericchiang

@smarterclayton
Copy link
Contributor

I'd like to have it be possible to inject new strategies via interface so
we can slim down to one implementation and not have to keep refactoring
code. I.e. the admission controller accepts a map of strategies or similar.

On Thu, Apr 21, 2016 at 5:47 PM, Eric Tune notifications@github.com wrote:

fyi @ericchiang https://github.com/ericchiang


You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#24600 (comment)

@pweil-
Copy link
Contributor Author

pweil- commented Apr 22, 2016

I'd like to have it be possible to inject new strategies via interface so
we can slim down to one implementation and not have to keep refactoring
code. I.e. the admission controller accepts a map of strategies or similar.

I'm not following this one yet. Why would we inject the strategies that a PSP uses when it's configured on the PSP object? Or is that not what you're referring to?

@smarterclayton
Copy link
Contributor

smarterclayton commented Apr 22, 2016 via email

@pweil-
Copy link
Contributor Author

pweil- commented Apr 22, 2016

ie RunAsRange should be implemented as an
interface

Ok, getting clearer. The field strategies are implementing a field based interface because the return values are field dependent. I think we can abstract it a bit more though. I'll give it a go.

@smarterclayton
Copy link
Contributor

I feel like the interface selection should be opaque - ask a list of
strategies if they accept the constant value. Or just invoke a single
interface with the string, which allows an implementation of a slice of
strategies all matching.

On Apr 22, 2016, at 8:49 AM, Paul Weil notifications@github.com wrote:

ie RunAsRange should be implemented as an
interface

Ok, getting clearer. The field strategies are implementing a field based
interface because the return values are field dependent. I think we can
abstract it a bit more though. I'll give it a go.


You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#24600 (comment)

@pweil-
Copy link
Contributor Author

pweil- commented Apr 25, 2016

@smarterclayton - last commit abstracts out the creation of strategies that the provider uses by passing in a strategy factory. This can be used downstream to create strategies based on namespace settings. PTAL and let me know what you think.

@erictune
Copy link
Member

API changes in 6f320 look good, but do you know why there are all the generated code changes around versioned.Watch? Doesn't seem like your non-generated code changes would cause that?

@erictune
Copy link
Member

aa42e7 looks good.

supplementalGroupsField = "supplementalGroups"
)

// simpleProvider is the default implementation of SecurityContextConstraintsProvider
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is just called Provider now?

@pweil-
Copy link
Contributor Author

pweil- commented Apr 27, 2016

Doesn't seem like your non-generated code changes would cause that?

looks suspicious. I'll investigate

@therc
Copy link
Member

therc commented Apr 27, 2016

I have had maddening issues with verify-codecgen complaining right after running update-codecgen, with spurious diffs. Maybe related to #23749 or #24473

// ensure we implement the interface correctly.
var _ Provider = &simpleProvider{}

// NewSimpleProvider creates a new SecurityContextConstraintsProvider instance.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is just called "Provider" now not "SecurityContextConstraintsProvider".

// 2. Create the providers, includes setting pre-allocated values if necessary.
// 3. Try to generate and validate a PSP with providers. If we find one then admit the pod
// with the validated PSP. If we don't find any reject the pod and give all errors from the
// failed attempts.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How do we bootstrap a cluster if there are no PSPs initially? Does that mean all pods are rejected? Or does an admin need a hardcoded override? Or should lack of any PSP be interpreted as no PSP required. How does this work on OS and how do you see it working here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In OpenShift we bootstrap infrastructure policies on cluster start and also provide reconciliation commands that can be used during the upgrade process. This is how our default policies and grants are created.

Here, we can either choose to add a bootstrapping process or make the assumption that if no policies exist that none will be enforced which is backwards compatible. @smarterclayton WDYT?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I went ahead and made this a configuration option for the plugin since there was no decision.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That seems fine.

@eparis eparis added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 10, 2016
@pweil-
Copy link
Contributor Author

pweil- commented May 10, 2016

rebased

@k8s-github-robot k8s-github-robot removed lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels May 10, 2016
@pmorie pmorie added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 10, 2016
@k8s-github-robot k8s-github-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 10, 2016
@k8s-github-robot k8s-github-robot removed lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels May 10, 2016
@pmorie pmorie added lgtm "Looks good to me", indicates that a PR is ready to be merged. cla: yes and removed cla: yes labels May 10, 2016
@k8s-github-robot k8s-github-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 11, 2016
@pweil-
Copy link
Contributor Author

pweil- commented May 11, 2016

rebased

@k8s-github-robot k8s-github-robot removed lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels May 11, 2016
@pmorie pmorie added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 11, 2016
@erictune erictune added the priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. label May 11, 2016
@k8s-bot
Copy link

k8s-bot commented May 12, 2016

GCE e2e build/test passed for commit 65c8a1f.

@k8s-github-robot
Copy link

Automatic merge from submit-queue

@k8s-github-robot k8s-github-robot merged commit 4e57c80 into kubernetes:master May 12, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.