-
Notifications
You must be signed in to change notification settings - Fork 101
change: feature flags for image-allow-rules + secure-by-default policy (#1549) #1571
Conversation
b7c9fa6
to
9afb2ea
Compare
Update 15.05.2023Feature FlagIn yesterday's meeting we agreed upon hiding this "deny by default" functionality behind a feature flag for now until we figured out a way of non-intrusively exposing this whole IAR feature to the user. I'll follow-up on a full-fledged customizable feature flagging solution here: #1609 User PromptingWhen prompting the user to allow an image in a deny-all scenario, we aligned on creating the IAR at the client-side. PermissionsOnly project admins should be allowed to create/edit IARs |
6f510ea
to
4917c49
Compare
I'm proposing a slightly different way than completely enabling/disabling the feature with an install flag: An install flag that just toggles the deny-by-default (strict mode) behavior: Here's an example $ acorn install --image harbor.thklein.dev/public/acorn:20230517.01
✔ Running Pre-install Checks
✔ Installing ClusterRoles
✔ Installing APIServer and Controller (image harbor.thklein.dev/public/acorn:20230517.01)
✔ Waiting for controller deployment to be available
✔ Waiting for API server deployment to be available
✔ Waiting for registry server deployment to be available
✔ Running Post-install Checks
✔ Installation done
$ acorn run index.docker.io/sangeetha/myfirstacorn:v0.0.1
dark-hill
STATUS: ENDPOINTS[] HEALTHY[] UPTODATE[]
STATUS: ENDPOINTS[] HEALTHY[0] UPTODATE[0] pending
STATUS: ENDPOINTS[] HEALTHY[0/1] UPTODATE[1] [containers: myweb1 ContainerCreating]
STATUS: ENDPOINTS[http://myweb1-dark-hill-6f5942e7.local.on-acorn.io => myweb1:80] HEALTHY[0/1] UPTODATE[1] [containers: myweb1 ContainerCreating]
STATUS: ENDPOINTS[http://myweb1-dark-hill-6f5942e7.local.on-acorn.io => myweb1:80] HEALTHY[0/1] UPTODATE[1] [containers: myweb1 is not ready]
┌──────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
| STATUS: ENDPOINTS[http://myweb1-dark-hill-6f5942e7.local.on-acorn.io => myweb1:80] HEALTHY[1] UPTODATE[1] OK |
└──────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
| STATUS: ENDPOINTS[http://myweb1-dark-hill-6f5942e7.local.on-acorn.io => myweb1:80] HEALTHY[1] UPTODATE[1] OK |
└──────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
$ kaf .local/imageallowrules/iar-scope-only.yaml
imageallowrule.api.acorn.io/iar-scope-only created
$ acorn run ghcr.io/k3d-io/k3d-proxy:5.4.9
✗ ERROR: invalid image ghcr.io/k3d-io/k3d-proxy:5.4.9: invalid image no Acornfile found
$ acorn run ghcr.io/acorn-io/library/hello-world:latest
patient-brook
STATUS: ENDPOINTS[] HEALTHY[] UPTODATE[]
STATUS: ENDPOINTS[] HEALTHY[0] UPTODATE[0] pending
STATUS: ENDPOINTS[] HEALTHY[0/1] UPTODATE[1] [containers: webapp ContainerCreating]
STATUS: ENDPOINTS[http://webapp-patient-brook-ca96a1ca.local.on-acorn.io => webapp:80] HEALTHY[0/1] UPTODATE[1] [containers: webapp ContainerCreating]
┌──────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
| STATUS: ENDPOINTS[http://webapp-patient-brook-ca96a1ca.local.on-acorn.io => webapp:80] HEALTHY[1] UPTODATE[1] OK |
└──────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
$ acorn run docker.io/iwilltry42/acorn:test.01
• WARNING: This application would like to use the image 'docker.io/iwilltry42/acorn:test.01'.
This could be VERY DANGEROUS to the cluster if you do not trust this
application. If you are unsure say no.
? Do you want to allow this app to use this (POTENTIALLY DANGEROUS) image? Yes
✗ ERROR: image is not allowed by any ImageAllowRule in this project
$ acorn run docker.io/iwilltry42/acorn:test.01
• WARNING: This application would like to use the image 'docker.io/iwilltry42/acorn:test.01'.
This could be VERY DANGEROUS to the cluster if you do not trust this
application. If you are unsure say no.
? Do you want to allow this app to use this (POTENTIALLY DANGEROUS) image? No
✗ ERROR: image docker.io/iwilltry42/acorn:test.01 is not allowed by any ImageAllowRule in this project
$ kdelf .local/imageallowrules/iar-scope-only.yaml
imageallowrule.api.acorn.io "iar-scope-only" deleted
$ acorn run docker.io/iwilltry42/acorn:test.01
ancient-waterfall
STATUS: ENDPOINTS[] HEALTHY[] UPTODATE[]
STATUS: ENDPOINTS[] HEALTHY[0] UPTODATE[0] pending
STATUS: ENDPOINTS[] HEALTHY[0/1] UPTODATE[1] [containers: signednginx ContainerCreating]
STATUS: ENDPOINTS[http://signednginx-ancient-waterfall-2719a48b.local.on-acorn.io => signednginx:80] HEALTHY[0/1] UPTODATE[1] [containers: signednginx ContainerCreating]
┌────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
| STATUS: ENDPOINTS[http://signednginx-ancient-waterfall-2719a48b.local.on-acorn.io => signednginx:80] HEALTHY[1] UPTODATE[1] OK |
└────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
$ acorn install --image harbor.thklein.dev/public/acorn:20230517.01 --image-allow-rules-strict-mode=true
✔ Running Pre-install Checks
✔ Installing ClusterRoles
✔ Installing APIServer and Controller (image harbor.thklein.dev/public/acorn:20230517.01)
✔ Waiting for controller deployment to be available
✔ Waiting for API server deployment to be available
✔ Waiting for registry server deployment to be available
✔ Running Post-install Checks
✔ Installation done
$ acorn run docker.io/iwilltry42/acorn:test.01
• WARNING: This application would like to use the image 'docker.io/iwilltry42/acorn:test.01'.
This could be VERY DANGEROUS to the cluster if you do not trust this
application. If you are unsure say no.
? Do you want to allow this app to use this (POTENTIALLY DANGEROUS) image? No
✗ ERROR: image docker.io/iwilltry42/acorn:test.01 is not allowed by any ImageAllowRule in this project
$ acorn run ghcr.io/acorn-io/library/hello-world:latest
• WARNING: This application would like to use the image 'ghcr.io/acorn-io/library/hello-world:latest'.
This could be VERY DANGEROUS to the cluster if you do not trust this
application. If you are unsure say no.
? Do you want to allow this app to use this (POTENTIALLY DANGEROUS) image? No
✗ ERROR: image ghcr.io/acorn-io/library/hello-world:latest is not allowed by any ImageAllowRule in this project
$ kaf .local/imageallowrules/iar-scope-only.yaml
imageallowrule.api.acorn.io/iar-scope-only created
$ acorn run ghcr.io/acorn-io/library/hello-world:latest
muddy-breeze
STATUS: ENDPOINTS[] HEALTHY[] UPTODATE[]
STATUS: ENDPOINTS[] HEALTHY[0] UPTODATE[0] pending
STATUS: ENDPOINTS[] HEALTHY[0/1] UPTODATE[1] [containers: webapp ContainerCreating]
STATUS: ENDPOINTS[http://webapp-muddy-breeze-d66cf766.local.on-acorn.io => webapp:80] HEALTHY[0/1] UPTODATE[1] [containers: webapp ContainerCreating]
┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
| STATUS: ENDPOINTS[http://webapp-muddy-breeze-d66cf766.local.on-acorn.io => webapp:80] HEALTHY[1] UPTODATE[1] OK |
└─────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
| STATUS: ENDPOINTS[http://webapp-muddy-breeze-d66cf766.local.on-acorn.io => webapp:80] HEALTHY[1] UPTODATE[1] OK |
└─────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘ |
It may still be a little rough around the edges and I don't like some smaller parts about it, but I'd love to get some feedback :) |
ffcddad
to
a7731d1
Compare
We discussed another change here.
|
3917926
to
7ea340e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lgtm, some tests are failing though
- switch to "secure by default" mode, meaning that with no IAR present, all images will be disallowed and having only one passing for a given image will allow it - additional field "scope" on IAR CR to define the images for which the rule will apply (prefix or glob matching) Signed-off-by: Thorsten Klein <tk@thklein.io>
Signed-off-by: Thorsten Klein <tk@thklein.io>
Signed-off-by: Thorsten Klein <tk@thklein.io>
Signed-off-by: Thorsten Klein <tk@thklein.io>
Signed-off-by: Thorsten Klein <tk@thklein.io>
Signed-off-by: Thorsten Klein <tk@thklein.io>
…prompting on not-allowed err Signed-off-by: Thorsten Klein <tk@thklein.io>
…by-default behavior Signed-off-by: Thorsten Klein <tk@thklein.io>
Signed-off-by: Thorsten Klein <tk@thklein.io>
Signed-off-by: Thorsten Klein <tk@thklein.io>
Signed-off-by: Thorsten Klein <tk@thklein.io>
Co-authored-by: Donnie Adams <donald.g.adams@me.com> Signed-off-by: Thorsten Klein <tk@thklein.io>
Signed-off-by: Thorsten Klein <tk@thklein.io>
Signed-off-by: Thorsten Klein <tk@thklein.io>
7ea340e
to
f25419d
Compare
Signed-off-by: Thorsten Klein <tk@thklein.io>
all images will be disallowed and having only one passing for a given
image will allow it
rule will apply (prefix or glob matching)
Signed-off-by: Thorsten Klein tk@thklein.io
Ref: #1549
Checklist
This is a title (#1216)
. Here's an example