PodSecurityPolicy.allowedCapabilities: add support for * to allow to request any capabilities #51337
Conversation
k8s-ci-robot
added
size/M
|
Hi @php-coder. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
the
needs-ok-to-test
k8s-github-robot
added
kind/api-change
|
/ok-to-test |
k8s-ci-robot
removed
the
needs-ok-to-test
|
While this PR has |
php-coder
force-pushed
the
psp_star_in_allowed_caps
branch
from
02e13bd to
770a770
Compare
|
@timothysc PTAL |
|
@smarterclayton PTAL |
|
This looks ok to me. It is an API change in surface area. We hit this in openshift for administrative users - giving admins access to all capabilities. The "admin" PSP should have this for backwards compatibility when we start enabling PSP. It is also consistent with other PSP policies on the object. @kubernetes/sig-auth-pr-reviews please weigh in. /retest |
k8s-ci-robot
added
the
sig/auth
|
/lgtm Seems reasonable and we allow "*" for a lot of policies. |
k8s-ci-robot
added
the
lgtm
pkg/api/types.go
Outdated
| @@ -1673,6 +1673,10 @@ const ( | |||
| // Capability represent POSIX capabilities type | |||
| type Capability string | |||
|
|
|||
| // AllowAllCapabilities can be used as a value for the PodSecurityPolicy.AllowAllCapabilities | |||
| // field and means that any capabilities are allowed to be requested. | |||
| var AllowAllCapabilities Capability = "*" | |||
There was a problem hiding this comment.
One nit. This should probably be in "pkg/apis/extensions" right? Since it's meant to be used with the PodSecurityPolicy types which are defined there.
There was a problem hiding this comment.
This should probably be in "pkg/apis/extensions" right?
Probably? I'm either not sure what it should be.
There was a problem hiding this comment.
if it is related to PSP, it should be in the PSP API group (just like FSType All is)
There was a problem hiding this comment.
@php-coder do you need to run ./hack/update-all.sh -a if the api was changed?
php-coder
force-pushed
the
psp_star_in_allowed_caps
branch
from
770a770 to
4b39be1
Compare
k8s-github-robot
removed
the
lgtm
|
|
|
needs |
|
/approve |
k8s-github-robot
added
the
approved
|
|
Needs an update
|
php-coder
force-pushed
the
psp_star_in_allowed_caps
branch
from
0410914 to
bfaf740
Compare
|
Test flake #51897:
|
|
Updated. PTAL. The existing test failures aren't related to my code and they're flakes in other parts. |
| @@ -660,6 +660,10 @@ func ValidatePodSecurityPolicySpec(spec *extensions.PodSecurityPolicySpec, fldPa | |||
| allErrs = append(allErrs, validatePSPSupplementalGroup(fldPath.Child("supplementalGroups"), &spec.SupplementalGroups)...) | |||
| allErrs = append(allErrs, validatePSPFSGroup(fldPath.Child("fsGroup"), &spec.FSGroup)...) | |||
| allErrs = append(allErrs, validatePodSecurityPolicyVolumes(fldPath, spec.Volumes)...) | |||
| if len(spec.RequiredDropCapabilities) > 0 && hasCap(extensions.AllowAllCapabilities, spec.AllowedCapabilities) { | |||
| allErrs = append(allErrs, field.Invalid(field.NewPath("requiredDropCapabilities"), spec.RequiredDropCapabilities, | |||
| "required capabilities must be empty when all capabilities are allowed by a wildcard")) | |||
There was a problem hiding this comment.
change to "must be empty when all capabilities are allowed by a wildcard"
There was a problem hiding this comment.
Updated. The only change is this message.
|
nit on validation message, lgtm otherwise |
…ow to request any capabilities. Also modify "privileged" PSP to use it and allow privileged users to use any capabilities.
php-coder
force-pushed
the
psp_star_in_allowed_caps
branch
from
bfaf740 to
7ab69d1
Compare
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ericchiang, liggitt, php-coder, smarterclayton Associated issue: 50055 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
|
/retest Review the full test history for this PR. |
1 similar comment
|
/retest Review the full test history for this PR. |
|
/retest |
|
Any chance we can get this in 1.8? |
would need an exception filed. I'd be in favor... change is minimal, risk is low, benefit is high (allows creating a true superuser PSP which is usually necessary as part of deploying PSP in a cluster) |
|
/retest cc @kubernetes/kubernetes-release-managers this PR was approved before the freeze but was never added to the milestone. As liggitt stated above, It's an extremely low risk change and I'd also like to see this in the release. |
|
/test all |
|
/retest |
|
/retest Review the full test history for this PR. |
|
Automatic merge from submit-queue (batch tested with PRs 51337, 47080, 52646, 52635, 52666). If you want to cherry-pick this change to another branch, please follow the instructions here.. |
What this PR does / why we need it:
Prior this change there was no way to allow to pods to request any capabilities. Cluster admin had always specify a full list of capabilities explicitly. Because there are many of them, it gets tedious. This PR makes possible to use
*to allow all possible capabilities. Non-paranoid (and lazy) cluster admins can use it. Those who are super strict and paranoid of course won't use it because*allows capabilities that don't exist today but may be introduced in the future."privileged" PSP in examples was modified to allow privileged users to use this feature.
Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close that issue when PR gets merged): fixes #50055Special notes for your reviewer:
This functional is already present in OpenShift: openshift/origin#12875 and openshift/origin#15135
Release note:
CC @simo5 @pweil- @gyliu513 @liqlin2015