Add PSA to block host field in probe/lifecycle handlers #4942
Conversation
|
Skipping CI for Draft Pull Request. |
k8s-ci-robot
added
do-not-merge/work-in-progress
k8s-ci-robot
added
kind/kep
tssurya
force-pushed
the
psa-host-field
branch
from
3cd9662 to
feb1a37
Compare
|
not familiar with the mechanics of this admission plugin, the trickiest part seems to handle the roll out of the feature, as some pods will be impacted by the new policy on upgrade. Things like a rolling update on a deployment comes to mind, where valid pods will created and will be impacted, despite the existing ones running will not. From the network perspective +1 from me, most people should not use the host field, although there are case that is used for polling external endpoints and now it can not be removed without breaking existing workloads, but seems correct to warn these users about the risk they are running by doing that. cc: @tallclair @liggitt |
tssurya
force-pushed
the
psa-host-field
branch
from
feb1a37 to
698b7c0
Compare
k8s-ci-robot
added
size/L
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
I have 3 more sections to update (unit, e2e, integration based on test grid links which since I was traveling was hard to load and access, will update those sections asap).. opening this up for reviews meanwhile @deads2k PTAL if this is doable for 1.33 ? |
tssurya
force-pushed
the
psa-host-field
branch
from
698b7c0 to
2409559
Compare
pod security admission has a couple features to help with this. policies are versioned, so an admin can decouple policy upgrade from cluster upgrade. You can also dry-run policy changes against workload resources. https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels/ has some of the details, but we should probably add task documentation specifically for the upgrade scenario. |
I had spoken with @deads2k .. IIUC I should send an email in early part of the release cycle first and get some reviews which I had missed... So we are targeting this for next release and as soon as the window opens I plan to send an email to mailing list for reviews once I update this KEP to a recent state. |
Has the 1.34 KEP window opened? https://kubernetes.slack.com/archives/C0EN96KUY/p1745693668074409?thread_ts=1745431405.777719&cid=C0EN96KUY |
| All related code will land within the same single release | ||
|
|
||
|
|
||
| #### Deprecation |
There was a problem hiding this comment.
For deprecating the .Host field we should probably be reaching out to SIG projects that use it, there is at least one which appears to be used in production clusters (kops):
There was a problem hiding this comment.
So they're deploying the apiserver as a host-network pod and specifying to use host: 127.0.0.1 for the probes, presumably because there may be a firewall blocking access to the healthz port on the public node IP. That seems reasonable. (Ah, actually, there are examples of this in k/k/cluster/ too.)
We could have the semantics of the deprecation/PSA be "you aren't allowed to specify host except in the case of specifying 127.0.0.1 or ::1 for a hostNetwork: true pod...
There was a problem hiding this comment.
For deprecating the .Host field we should probably be reaching out to SIG projects that use it,
that's a good idea..
We could have the semantics of the deprecation/PSA be "you aren't allowed to specify host except in the case of specifying 127.0.0.1 or ::1 for a hostNetwork: true pod...
hmm we could but its still a bit mucky, i.e we either deprecate the field or we don't right? Is it OK to deprecate with exceptions :D
There was a problem hiding this comment.
Deprecation doesn't mean broken and doesn't mean removed. My understanding of this change is
- the meaning of the .Host field is remaining the same
- the resource validation on the .Host field is remaining the same
- PodSecurityAdmission with both version locked and intent driven evaluation modes will enforce a more accurate restriction based on the actual impact of the field. Version locked namespaces have no change. Intent-based namespaces (latest) will get the most accurate enforcement
I don't see documenting the field as deprecated as critical to this change. I'm fine with this KEP without any documentation changes to the field. Marking it deprecated seems more appropriate to do in the KEP that is adding its replacement once it reaches stable.
I suggest making this part optional in the KEP and removing from goals. The documentation should still be updated to explain that usage is privileged.
There was a problem hiding this comment.
ack I think for now, as mentioned by @deads2k I'm removing the deprecation from the enhancement scope.
|
thanks for the reviews (just got back from PTO this week, will address these comments asap. |
|
I've resolved most of the comments from @BenTheElder and @liggitt : Diff for the new pushes can be seen here: https://github.com/kubernetes/enhancements/compare/8d4b17b02bb6725ebf8620657f208216c62e7627..02514fb6fb222958dbd7481cb44a5768dc74d1fe so that its easier to see what changed. Only remaining one is - I think #4942 (comment) is a good point, however I'm not sure if deprecating with exception like that is common practice? |
| ###### How can a rollout or rollback fail? Can it impact already running workloads? | ||
|
|
||
| N/A |
There was a problem hiding this comment.
Please fill this out with the impact to a workload resource (deployment) trying to create new pods with a PSA level set to latest after an upgrade.
There was a problem hiding this comment.
I've updated this to include this info.. on second thoughts I have mentioned this in L246 which probably now needs a tweak? cause on upgrades all pods get recreated so if encountered with the PSA set they would fail? -> updated that as well PTAL. cause existing pods if drained and brought up again during upgrades if PSA is enabled then they won't come up.. so my current sentence was a bit mis-leading
|
@deads2k I've addressed the comments, thanks for taking the time to review |
| All related code will land within the same single release | ||
|
|
||
|
|
||
| #### Deprecation |
There was a problem hiding this comment.
Deprecation doesn't mean broken and doesn't mean removed. My understanding of this change is
- the meaning of the .Host field is remaining the same
- the resource validation on the .Host field is remaining the same
- PodSecurityAdmission with both version locked and intent driven evaluation modes will enforce a more accurate restriction based on the actual impact of the field. Version locked namespaces have no change. Intent-based namespaces (latest) will get the most accurate enforcement
I don't see documenting the field as deprecated as critical to this change. I'm fine with this KEP without any documentation changes to the field. Marking it deprecated seems more appropriate to do in the KEP that is adding its replacement once it reaches stable.
I suggest making this part optional in the KEP and removing from goals. The documentation should still be updated to explain that usage is privileged.
|
Repushed removing references to deprecation: https://github.com/kubernetes/enhancements/compare/c5130fb0298befbda391e0369ebd9884be9f04bb..b287b60cc2361a7548bc70befe18ad664f6a3f61 |
|
lgtm for both the sig and PRR. I see Jordan's lgtm above too /lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: danwinship, deads2k, tssurya The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
k8s-ci-robot
removed
the
lgtm
|
/lgtm |
k8s-ci-robot
added
the
lgtm
| probes with the Host field set when using the (about to be deprecated) API. | ||
| This is implemented by [kubernetes PR 125271](https://github.com/kubernetes/kubernetes/pull/125271) | ||
| that does exactly that. | ||
|
|
There was a problem hiding this comment.
oops I forgot to actually write the localhost part that @BenTheElder and @danwinship pointed out here: #4942 (comment)
will do a small FUP PR to fix that up
.hostfield from ProbeHandler and LifecycleHandler #4940