Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add seccomp least privilege for kuberuntime #90949

Merged
merged 1 commit into from
Jul 14, 2020
Merged

Add seccomp least privilege for kuberuntime #90949

merged 1 commit into from
Jul 14, 2020

Conversation

pjbgf
Copy link
Member

@pjbgf pjbgf commented May 10, 2020
edited
Loading

What type of PR is this?
/kind bug

What this PR does / why we need it:
Decreases the sandbox's attack surface by running it with runtime/default seccomp profile.

As a side effect, it allows end users to set seccomp profiles at pod level with the same profile as they would for container level, considering the pod only has containers with AllowPrivilegeEscalation=false.

Without this PR users had to whitelist some syscalls regardless of their containers needing them: capset, set_tid_address, setgid, setgroups, setuid and etc. More information and examples at #84623.

Which issue(s) this PR fixes:
Part of #84623 (for kuberuntime)
Part of #81115 (for sandbox)

Special notes for your reviewer:
Feature parity for dockershim is handled by a different PR.

Does this PR introduce a user-facing change?:

kuberuntime security: pod sandbox now always runs with `runtime/default` seccomp profile
kuberuntime seccomp: custom profiles can now have smaller seccomp profiles when set at pod level

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

NONE

/cc @tallclair @Random-Liu @dims @mattjmcnaughton
/sig node
/area security

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/bug Categorizes issue or PR as related to a bug. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. sig/node Categorizes an issue or PR as relevant to SIG Node. area/security needs-priority Indicates a PR lacks a `priority/foo` label and requires one. area/kubelet labels May 10, 2020
@pjbgf
Copy link
Member Author

pjbgf commented May 10, 2020

/assign @derekwaynecarr

@pjbgf
Copy link
Member Author

pjbgf commented May 10, 2020

/test pull-kubernetes-e2e-kind

@pjbgf
Copy link
Member Author

pjbgf commented May 10, 2020

/test pull-kubernetes-e2e-kind-ipv6
/test pull-kubernetes-e2e-kind

mattjmcnaughton
mattjmcnaughton reviewed May 10, 2020
View reviewed changes
Copy link
Contributor

@mattjmcnaughton mattjmcnaughton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/uncc

I'll follow along here, but unfortunately not sure I have the context to approve/request changes on this change.

@pjbgf
Copy link
Member Author

pjbgf commented May 14, 2020

Adding @tallclair given that this is related to seccomp.

/assign @tallclair

@pjbgf
Copy link
Member Author

pjbgf commented May 18, 2020

/cc @hasheddan @evrardjp @saschagrunert

@k8s-ci-robot k8s-ci-robot requested a review from hasheddan May 18, 2020 20:40
@k8s-ci-robot
Copy link
Contributor

@pjbgf: GitHub didn't allow me to request PR reviews from the following users: evrardjp.

Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

/cc @hasheddan @evrardjp @saschagrunert

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@pjbgf
Copy link
Member Author

pjbgf commented May 26, 2020

@liggitt Would be good to consider this as part of validating seccomp GA, as the current behaviour is not very user friendly.

/cc @liggitt

@k8s-ci-robot k8s-ci-robot requested a review from liggitt May 26, 2020 15:53
@pjbgf pjbgf mentioned this pull request Jun 25, 2020
Closed
9 tasks
@liggitt liggitt added this to the v1.19 milestone Jul 8, 2020
@pjbgf
Copy link
Member Author

pjbgf commented Jul 8, 2020

/test pull-kubernetes-e2e-gce-ubuntu-containerd

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 8, 2020
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Jul 8, 2020
@pjbgf pjbgf mentioned this pull request Jul 8, 2020
Closed
9 tasks
@pjbgf
Copy link
Member Author

pjbgf commented Jul 8, 2020

/retest

1 similar comment
@pjbgf
Copy link
Member Author

pjbgf commented Jul 8, 2020

/retest

@pjbgf
Copy link
Member Author

pjbgf commented Jul 8, 2020

/test pull-kubernetes-e2e-gce-ubuntu-containerd

@liggitt
Copy link
Member

liggitt commented Jul 9, 2020

/retest

1 similar comment
@saschagrunert
Copy link
Member

/retest

@derekwaynecarr
Copy link
Member

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 13, 2020
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: derekwaynecarr, pjbgf

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 13, 2020
@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@pjbgf
Copy link
Member Author

pjbgf commented Jul 14, 2020

/retest

2 similar comments
@saschagrunert
Copy link
Member

/retest

@pjbgf
Copy link
Member Author

pjbgf commented Jul 14, 2020

/retest

@saschagrunert
Copy link
Member

/test pull-kubernetes-integration

@k8s-ci-robot k8s-ci-robot merged commit 428b500 into kubernetes:master Jul 14, 2020
@github-actions github-actions bot mentioned this pull request Jul 22, 2020
Open
@YanzhaoLi
Copy link
Member

YanzhaoLi commented Jun 7, 2021
edited
Loading

Hi @pjbgf , with this MR, do that mean all pause containers should have a default seccomp profile?

And I checked the corresponding pid of pause container in k8s 1.20( containerd as runtime) and found the seccomp of several pause containers disabled (3/30 disabled). Is this expected?

$ cat /proc/39966/status | grep Seccomp
Seccomp:        0

And in a cluster with docker as runtime, all pause containers has seccomp: 2

@leoluk leoluk mentioned this pull request Jul 5, 2021
Closed
@pjbgf
Copy link
Member Author

pjbgf commented Oct 22, 2021

@YanzhaoLi if the three pod's were privileged, then all bets are off and its containers will run as unconfined. Can you confirm that's the case, and if not, it would be great if you could share more details of the specific pods that were running with unconfined pause containers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mattjmcnaughton mattjmcnaughton mattjmcnaughton left review comments

@dims dims Awaiting requested review from dims

@Random-Liu Random-Liu Awaiting requested review from Random-Liu

@tallclair tallclair Awaiting requested review from tallclair

@hasheddan hasheddan Awaiting requested review from hasheddan

@saschagrunert saschagrunert Awaiting requested review from saschagrunert

@liggitt liggitt Awaiting requested review from liggitt

Assignees

@derekwaynecarr derekwaynecarr

@tallclair tallclair

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubelet area/security cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/node Categorizes an issue or PR as relevant to SIG Node. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
v1.19
Development

Successfully merging this pull request may close these issues.
9 participants
@pjbgf @k8s-ci-robot @liggitt @saschagrunert @derekwaynecarr @fejta-bot @YanzhaoLi @mattjmcnaughton @tallclair