Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add the option to enable default Pod Security Configuration #9017

Merged
merged 3 commits into from
Aug 18, 2022
Merged

Add the option to enable default Pod Security Configuration #9017

merged 3 commits into from
Aug 18, 2022

Conversation

Foxlik
Copy link
Contributor

@Foxlik Foxlik commented Jun 21, 2022
edited by floryut
Loading

What type of PR is this?
/kind feature

What this PR does / why we need it:
By default only Pods in annotated namespaces are checked for following Pod Security Standards. This change adds the option to reverse the behavior, where Pods in all namespaces not exmpted are checked.

Special notes for your reviewer:
This is my first PR to kubespray and this looks like a quick and easy win to me, but I might be mistaken. Thanks for any feedback.

I'm not sure if any other namespaces should be on the default exempt list.

Does this PR introduce a user-facing change?:

Add the option to enable default Pod Security Configuration

@k8s-ci-robot k8s-ci-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Jun 21, 2022
@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Jun 21, 2022
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. label Jun 21, 2022
@k8s-ci-robot
Copy link
Contributor

Welcome @Foxlik!

It looks like this is your first PR to kubernetes-sigs/kubespray 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/kubespray has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jun 21, 2022
@k8s-ci-robot
Copy link
Contributor

Hi @Foxlik. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Jun 21, 2022
@k8s-ci-robot k8s-ci-robot requested review from EppO and jayonlau June 21, 2022 13:21
@Foxlik
Copy link
Contributor Author

Foxlik commented Jun 21, 2022

(Trying to figure out who can sign CLA at my company since this was done for one of our clusters.)

cristicalin
cristicalin reviewed Jun 21, 2022
View reviewed changes
roles/kubernetes/control-plane/vars/main.yaml
@@ -1,3 +1,3 @@
---
# list of admission plugins that needs to be configured
kube_apiserver_admission_plugins_needs_configuration: [EventRateLimit]
kube_apiserver_admission_plugins_needs_configuration: [EventRateLimit, PodSecurity]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this addition be conditioned by kube_pod_security_use_default=true ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This variable has been created to ensure that admission plugins that need to be configured, could be provided with this.
In this case, I think it is not necessary to add PodSecurity here because the plugin doesn't need configuration to work.
Here are some examples on how to use it:
https://github.com/kubernetes-sigs/kubespray/search?q=kube_apiserver_admission_plugins_needs_configuration

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alegrey91 Getting this PodSecurityConfiguration file created on the node is the sole reason I got into creating this PR. It's an admission plugin so I thought this was a good place to get it done. If there is a better place or if you think it's more clear to do it in other way, I'm ready to fix that. But the plugin needs the config to work.
I think this also answers your other comment about the PodSecurityConfiguration not being applied to the cluster.

The patch definitely does what's advertised - enable default PodSecurity for whole cluster and when configured, prevent insecure Pods from being spawned. Trust me, it forced me to fix quite a few apps ;).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cristicalin i've added a condition around the PodSecurity in here. I did it the most naive way. Not sure if it's up to standards. Please check.
The original idea was to get the file created always, just empty when kube_pod_security_use_default is false.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Foxlik I got your point.

So, you can leave the code in this way:

kube_apiserver_admission_plugins_needs_configuration: [EventRateLimit,PodSecurity]

You should probably rename the file roles/kubernetes/control-plane/templates/podsecurity.v1beta2.yaml.j2 to roles/kubernetes/control-plane/templates/podsecurity.yaml.j2.

This because the admission-controls.yaml.j2 will grab the name from the variable kube_apiserver_admission_plugins_needs_configuration and use it as name of the AdmissionConfiguration plugin list.

E.g.


apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: EventRateLimit
  path: /path/to/eventratelimit.yaml
- name: PodSecurity                        # extracted from plugin variable
  path: /path/to/podsecurity.yaml          # plugin | lower

Ping me if you have some doubt about the explanation.
Anyway, you did a great work!

@cristicalin
Copy link
Contributor

Hi @Foxlik , thanks for your contribution, please ensure to sign the CLA so it can be accepted.

@oomichi
Copy link
Contributor

oomichi commented Jul 12, 2022

@alegrey91 Could you take a look at this pull request? I guess you might be interested.

@alegrey91
Copy link
Contributor

@oomichi it looks really interesting. Thank for letting me know.
At first glance, seems that the PodSecurityConfiguration manifest is never applied to the cluster.
For the rest, it seems to work.
@Foxlik please fix the PR problems asap.

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Jul 26, 2022
@Foxlik
Copy link
Contributor Author

Foxlik commented Jul 26, 2022

I finally got the CLA sorted out. Reverted the latest changes, but added an explanation for the empty file. If this looks good to you, please set it to squash before merge.
Thanks.

@floryut
Copy link
Member

floryut commented Jul 26, 2022

I finally got the CLA sorted out. Reverted the latest changes, but added an explanation for the empty file. If this looks good to you, please set it to squash before merge. Thanks.

Thank you, could you please rebase master though ? Otherwise CI won't be happy :)

Foxlik added 3 commits August 1, 2022 10:13
@Foxlik
Add the option to enable default Pod Security Configuration
f4d2e0a 
Enable Pod Security in all namespaces by default with the option to
exempt some namespaces. Without the change only namespaces explicitly
configured will receive the admission plugin treatment.
@Foxlik
Fix the PR according to code review comments
b9019a2
@Foxlik
Revert the latest changes
519dad5 
- leave the empty file when kube_pod_security_use_default, but add comment explaining the empty file
- don't attempt magic at conditionally adding PodSecurity to kube_apiserver_admission_plugins_needs_configuration
@Foxlik
Copy link
Contributor Author

Foxlik commented Aug 1, 2022
edited
Loading

Thank you, could you please rebase master though ? Otherwise CI won't be happy :)

guess I should've said I've done so. anyway, rebased again. hoping to make CI smile again.

@cristicalin
Copy link
Contributor

Thanks for this work @Foxlik !

/approve
/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. approved Indicates a PR has been approved by an approver from all required OWNERS files. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Aug 6, 2022
@cristicalin
Copy link
Contributor

/cc @floryut @oomichi

@k8s-ci-robot k8s-ci-robot requested review from floryut and oomichi August 7, 2022 13:57
floryut
floryut approved these changes Aug 18, 2022
View reviewed changes
Copy link
Member

@floryut floryut left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Foxlik Sorry I totaly forgot this one, nice work on this
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 18, 2022
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cristicalin, floryut, Foxlik

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [cristicalin,floryut]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 30c77ea into kubernetes-sigs:master Aug 18, 2022
TinLe added a commit to TinLe/kubespray that referenced this pull request Aug 27, 2022
@TinLe
Merge remote-tracking branch 'upstream/master'
3fa0d59 
* upstream/master: (832 commits)
  add pre-commit hook to facilitate local testing (kubernetes-sigs#9158)
  cri-dockerd: add restart of docker.service (kubernetes-sigs#9205)
  do not run etcd role in scale.yml playbook when etcd installed by kubeadm (kubernetes-sigs#9210)
  optimize the format of evictionHard in kubelet-config.yaml template (kubernetes-sigs#9204)
  Update vars.md (kubernetes-sigs#9172)
  fix one bug in docs/nodes (kubernetes-sigs#9203)
  Fix containerd (<1.7) configuration for insecure registries (kubernetes-sigs#9207)
  🌱 Enable cri-dockerd service (kubernetes-sigs#9201)
  Update vsphere-csi.md (kubernetes-sigs#9170)
  9035: Make Cilium rolling-restart delay/timeout configurable (kubernetes-sigs#9176)
  [kubernetes] Add hashes for 1.24.4, 1.22.13, 1.23.10 and make v1.24.4 default (kubernetes-sigs#9191)
  Add 'avoid-buggy-ips' support of MetalLB (kubernetes-sigs#9166)
  Add the option to enable default Pod Security Configuration (kubernetes-sigs#9017)
  Add 'flush ip6tables' task in reset role (kubernetes-sigs#9168)
  add list nodes rules to cilium-operator clusterrole (kubernetes-sigs#9178)
  docs(kube-vip): fix broken links (kubernetes-sigs#9165)
  Disable DNSStubListener for Flatcar Linux (kubernetes-sigs#9160)
  Subnet setup order fix & Number of master nodes syntax fix (kubernetes-sigs#9159)
  Fix CSI drivers issues on Azure (kubernetes-sigs#9153)
  [calico] calico rr supports multiple groups (kubernetes-sigs#9134)
  ...
@floryut floryut mentioned this pull request Sep 19, 2022
Closed
nolimitkun pushed a commit to nolimitkun/kubespray that referenced this pull request Mar 19, 2023
@Foxlik @nolimitkun
Add the option to enable default Pod Security Configuration (kubernet…
0be6f0c 
…es-sigs#9017)

* Add the option to enable default Pod Security Configuration

Enable Pod Security in all namespaces by default with the option to
exempt some namespaces. Without the change only namespaces explicitly
configured will receive the admission plugin treatment.

* Fix the PR according to code review comments

* Revert the latest changes

- leave the empty file when kube_pod_security_use_default, but add comment explaining the empty file
- don't attempt magic at conditionally adding PodSecurity to kube_apiserver_admission_plugins_needs_configuration
LuckySB pushed a commit to southbridgeio/kubespray that referenced this pull request Jul 2, 2023
@Foxlik @LuckySB
Add the option to enable default Pod Security Configuration (kubernet…
ac67bb1 
…es-sigs#9017)

* Add the option to enable default Pod Security Configuration

Enable Pod Security in all namespaces by default with the option to
exempt some namespaces. Without the change only namespaces explicitly
configured will receive the admission plugin treatment.

* Fix the PR according to code review comments

* Revert the latest changes

- leave the empty file when kube_pod_security_use_default, but add comment explaining the empty file
- don't attempt magic at conditionally adding PodSecurity to kube_apiserver_admission_plugins_needs_configuration
LuckySB pushed a commit to southbridgeio/kubespray that referenced this pull request Jul 7, 2023
@Foxlik @LuckySB
Add the option to enable default Pod Security Configuration (kubernet…
cc45302 
…es-sigs#9017)

* Add the option to enable default Pod Security Configuration

Enable Pod Security in all namespaces by default with the option to
exempt some namespaces. Without the change only namespaces explicitly
configured will receive the admission plugin treatment.

* Fix the PR according to code review comments

* Revert the latest changes

- leave the empty file when kube_pod_security_use_default, but add comment explaining the empty file
- don't attempt magic at conditionally adding PodSecurity to kube_apiserver_admission_plugins_needs_configuration
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alegrey91 alegrey91 alegrey91 left review comments

@cristicalin cristicalin cristicalin left review comments

@floryut floryut floryut approved these changes

@EppO EppO Awaiting requested review from EppO

@jayonlau jayonlau Awaiting requested review from jayonlau

@oomichi oomichi Awaiting requested review from oomichi

Assignees

@floryut floryut

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@Foxlik @k8s-ci-robot @cristicalin @oomichi @alegrey91 @floryut