-
Notifications
You must be signed in to change notification settings - Fork 40k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PodSecurityPolicy should respect and validate user-supplied RunAsNonR… #47073
Conversation
@kubernetes/sig-auth-pr-reviews |
cc @pweil- |
@@ -51,8 +51,13 @@ func (s *nonRoot) Validate(pod *api.Pod, container *api.Container) field.ErrorLi | |||
allErrs = append(allErrs, field.Invalid(securityContextPath, container.SecurityContext, detail)) | |||
return allErrs | |||
} | |||
if container.SecurityContext.RunAsNonRoot != nil && *container.SecurityContext.RunAsNonRoot == false { | |||
detail := fmt.Sprintf("RunAsNonRoot is forbidden by the pod security policy for container %s", container.Name) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
RunAsNonRoot=false is forbidden
... you could set it to true if you wanted
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
update godoc
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, that message is backwards. Let me fix it for you :D
@@ -165,7 +165,10 @@ func (s *simpleProvider) CreateContainerSecurityContext(pod *api.Pod, container | |||
// if we're using the non-root strategy set the marker that this container should not be | |||
// run as root which will signal to the kubelet to do a final check either on the runAsUser | |||
// or, if runAsUser is not set, the image UID will be checked. | |||
if s.psp.Spec.RunAsUser.Rule == extensions.RunAsUserStrategyMustRunAsNonRoot { | |||
if sc.RunAsNonRoot != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we only need to do something if sc.RunAsNonRoot == nil
... the change in nonRoot#Validate() ensures a non-nil value is acceptable, so we don't need to overwrite it here (and the impl in this block is a no-op, anyway)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ya, that's better.
I'd like to see unit tests around both the Validate() and CreateContainerSecurityContext() changes |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 to this. IIRC the original behavior was a hold over from the time when the SCDeny plugin was used to prevent people from setting items in the SC so the system could always just DTRT.
Please make sure to add the scenario to the provider tests that do the pass/fail testing for the strategies.
createPod := func() *api.Pod { | ||
return &api.Pod{ | ||
Spec: api.PodSpec{ | ||
Containers: []api.Container{{ | ||
SecurityContext: &api.SecurityContext{}, | ||
SecurityContext: &api.SecurityContext{RunAsNonRoot: &untrue}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the point of this test is to make sure CreateContainerSecurityContext doesn't mutate a pod, so I'd want to leave it completely empty (no RunAsNonRoot set) to enable as many of the if ... == nil { ... }
blocks as possible to run
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
{ | ||
container: &api.Container{ | ||
SecurityContext: &api.SecurityContext{ | ||
RunAsNonRoot: &untrue, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and test that one with RunAsNonRoot: &true
returns no error
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
e2b2a34
to
158f17b
Compare
@k8s-bot pull-kubernetes-e2e-gce-etcd3 test this |
Currently every change triggers full e2e. This is something we can fix with the magic of bazel! |
/lgtm |
/assign @brendandburns @liggitt - the psp owners file is pretty sparse. |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Q-Lee, brendandburns, liggitt Associated issue: 47071 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
@Q-Lee: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Automatic merge from submit-queue (batch tested with PRs 47073, 47457, 47479) |
What this PR does / why we need it: PodSecurityPolicies overwrite and then fail to validate the RunAsNonRoot field in the container security context.
Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close that issue when PR gets merged): fixes #47071Special notes for your reviewer: gce/gke don't use this in 1.6. You'll need to speak up if you think this is important enough to patch. It should almost certainly go into 1.7.
Release note: