Replace deprecated PodSecurityPolicy with PodSecurityAdmission enforcement #5536
Conversation
tekton-robot
added
the
do-not-merge/release-note-label-needed
tekton-robot
added
the
size/L
tekton-robot
added
the
do-not-merge/work-in-progress
|
@JeromeJu: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
tekton-robot
added
kind/bug
tekton-robot
removed
the
do-not-merge/work-in-progress
JeromeJu
force-pushed
the
test-PSA
branch
2 times, most recently
from
040f93e
to
eafd07b
Compare
tekton-robot
added
size/M
This commit removes the deprecated PodSeucrityPolicy and add PodSecurityAdmission(PSA) restricted label with respective policies enforced by PSP but not covered by the restricted standard of PSA.
tekton-robot
added
release-note
There was a problem hiding this comment.
This looks basically right to me but I think @wlynch or @skaegi might be better reviewers-- could either of you take a look?
@JeromeJu it might be helpful to make a list (either in your doc or the commit message) of the pod security policy configuration options we're using and what replaces them. (For most, it'll probably be replaced by the pod security admission label you've added.)
Lastly, the release note should indicate changes relevant to users, and I don't think replacing our podsecuritypolicy should be relevant to them since you added the pod security admission. However, I think users might need to set a feature gate to enable pod security admission for k8s 1.22 to 1.24 (https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-graduated-or-deprecated-features), so please include "action required" in the release note with instructions on how to do that.
I'd also change the commit title to "Replace deprecated PodSecurityPolicy with Pod Security Admission enforcement".
| seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' | ||
| seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' | ||
| apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' | ||
| apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' |
There was a problem hiding this comment.
Do these annotations need to be replaced with any changes to the deployment spec?
There was a problem hiding this comment.
I think I'm okay with this - I don't think we were ever requiring a strict set of apparmor / seccomp policies - we just wanted to make sure that there was some policy set. The restricted policy still enforces this, though loosens it a bit in that it's easier to load in other policies present on the node.
We may want to double check that this is working on a few common k8s setups (since if a policy isn't defined this will fail), but otherwise this seems okay.
JeromeJu
changed the title
JeromeJu
changed the title
| seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' | ||
| seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' | ||
| apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' | ||
| apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' |
There was a problem hiding this comment.
I think I'm okay with this - I don't think we were ever requiring a strict set of apparmor / seccomp policies - we just wanted to make sure that there was some policy set. The restricted policy still enforces this, though loosens it a bit in that it's easier to load in other policies present on the node.
We may want to double check that this is working on a few common k8s setups (since if a policy isn't defined this will fail), but otherwise this seems okay.
| volumes: | ||
| - 'emptyDir' | ||
| - 'configMap' | ||
| - 'secret' |
There was a problem hiding this comment.
The values covered in PSS is technically larger than we we previously set, but I think I'm okay with the increase in scope. This is the list PSS looks for:
- configMap
- csi
- downwardAPI
- emptyDir
- ephemeral
- persistentVolumeClaim
- projected
- secret
| max: 65535 | ||
| seLinux: | ||
| rule: 'RunAsAny' | ||
| supplementalGroups: |
There was a problem hiding this comment.
FWIW, it doesn't look like this is included in PSS so it's something we'll need to be mindful about (I'm not sure if you can add root as a supplemental group, though I hope not).
As is I think this is okay, since we're not setting any supplemental groups and we're dropping capabilities like SETUID/SETGID that could be possible escalation points.
There was a problem hiding this comment.
Thanks Billy, I thought the point of supplementalGroups in PSP is to not allow root access. So can I ask will runAsNonRoot to be set as true here cover this?
There was a problem hiding this comment.
Reading https://pkg.go.dev/k8s.io/api/core/v1#SecurityContext + the PSS docs it looks like runAsNonRoot doesn't restrict GID, just UID. That said, we're not granting root GID in any of our yamls, so it's probably fine (just something to keep in mind since PSS won't stop us from setting this).
tekton-robot
added
release-note-action-required
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: lbernick, wlynch The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
tekton-robot
added
the
approved
|
/retest |
Currently blocked on a release from Tekton: tektoncd/pipeline#5536 is expected to be released in 0.41 which is scheduled for oct 13, 2022: https://github.com/tektoncd/pipeline/milestone/60
Currently blocked on a release from Tekton: tektoncd/pipeline#5536 is expected to be released in 0.41 which is scheduled for oct 13, 2022: https://github.com/tektoncd/pipeline/milestone/60
Changes
This commit removes the PodSeucrityPolicy, which is deprecated in
Kubernetes v1.21 and removed from v1.25. This adds to the
PodSecurityAdmission(PSA) restricted label with respective policies
enforced by PSP but not covered by the restricted standard of PSA.
Loosen permissions in PSP
Note that with the
restrictedstandard of PSA, the pods in the namespacewith the PSA annotations would now have the following permissions other
than the enforcement in PSP:
runAsNonRootin PSA only restricts UID but not GroupIDPolicies in PSP not covered by PSA
The following policies are not covered by PSA but are in PSP, they
are specified in both controller.yaml and webhook.yaml:
| previously in PSP | currently in PSA |
|
seLinux|PodTemplate.securityContext.seLinux||
fsGroup|PodTemplate.securityContext.runAsNonRoot||
runAsGroup|PodTemplate.securityContext.runAsNonRoot||
supplementalGroups|PodTemplate.securityContext.runAsNonRoot|seLinuxspecification is not enforced by PSA, so it has been set in the securityContext field for both controller.yaml and webhook.yaml.fsGroup,runAsGroupandsupplementalGroupsare enforced to use a range of id other than 0 withmustRunAsrule in PSP but not in PSA, so it is specified asrunAsNonRootin controller and webhook to forbid root accessFixes: #4112
Submitter Checklist
As the author of this PR, please check off the items in this checklist:
functionality, content, code)
/kind <type>. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tepRelease Notes