Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable PodSecurityPolicy in our test environment #4480

Closed
mattmoor opened this issue Jun 22, 2019 · 15 comments
Closed

Enable PodSecurityPolicy in our test environment #4480

mattmoor opened this issue Jun 22, 2019 · 15 comments
Labels
area/test-and-release It flags unit/e2e/conformance/perf test issues for product features kind/feature Well-understood/specified features, ready for coding.
Milestone
0.16.x

Comments

@mattmoor
Copy link
Member

In what area(s)?

/area test-and-release

Describe the feature

To catch things like: #3237 (comment)

cc @yu2003w
@mattmoor mattmoor added the kind/feature Well-understood/specified features, ready for coding. label Jun 22, 2019
@mattmoor mattmoor added this to the Ice Box milestone Jun 22, 2019
@knative-prow-robot knative-prow-robot added area/test-and-release It flags unit/e2e/conformance/perf test issues for product features kind/good-first-issue labels Jun 22, 2019
@yu2003w yu2003w mentioned this issue Jun 24, 2019
Closed
@knative-housekeeping-robot
Copy link

Issues go stale after 90 days of inactivity.
Mark the issue as fresh by adding the comment /remove-lifecycle stale.
Stale issues rot after an additional 30 days of inactivity and eventually close.
If this issue is safe to close now please do so by adding the comment /close.

Send feedback to Knative Productivity Slack channel or file an issue in knative/test-infra.

/lifecycle stale

@knative-prow-robot knative-prow-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 23, 2019
@knative-housekeeping-robot
Copy link

Stale issues rot after 30 days of inactivity.
Mark the issue as fresh by adding the comment /remove-lifecycle rotten.
Rotten issues close after an additional 30 days of inactivity.
If this issue is safe to close now please do so by adding the comment /close.

Send feedback to Knative Productivity Slack channel or file an issue in knative/test-infra.

/lifecycle rotten

@knative-prow-robot knative-prow-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jan 22, 2020
@knative-housekeeping-robot
Copy link

Rotten issues close after 30 days of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh by adding the comment /remove-lifecycle rotten.

Send feedback to Knative Productivity Slack channel or file an issue in knative/test-infra.

/close

@knative-prow-robot
Copy link
Contributor

@knative-housekeeping-robot: Closing this issue.

In response to this:

Rotten issues close after 30 days of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh by adding the comment /remove-lifecycle rotten.

Send feedback to Knative Productivity Slack channel or file an issue in knative/test-infra.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@Cynocracy
Copy link
Contributor

/reopen

/remove-lifecycle rotten

@knative-prow-robot
Copy link
Contributor

@Cynocracy: Reopened this issue.

In response to this:

/reopen

/remove-lifecycle rotten

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@knative-prow-robot knative-prow-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Mar 27, 2020
@Cynocracy
Copy link
Contributor

Cynocracy commented Mar 27, 2020
edited

Reopening this, is this something we want to support?

At least from our end, we'd like to maintain a policy, and this repo feels like the appropriate place to do so.

@Cynocracy
Copy link
Contributor

More info about the last attempt can be found at #4500

@mattmoor
Copy link
Member Author

I think that we should be shipping a default PSP. It should be harmless for environments that aren't enforcing it, and very useful for installing into environments that require one.

Here are the docs on enabling this for GKE: https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies#enabling_podsecuritypolicy_controller

I'm happy to put together PSPs for the components we ship, we can probably start with a derivative of the Tekton PSP (the main change below is MustRunAsNonRoot):

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: knative-components
spec:
  privileged: false
  allowPrivilegeEscalation: false
  hostNetwork: false
  hostIPC: false
  hostPID: false

  volumes:
  - 'emptyDir'
  - 'configMap'
  - 'secret'

  runAsUser:
    rule: 'MustRunAsNonRoot'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
    - min: 1
      max: 65535
  fsGroup:
    rule: 'MustRunAs'
    ranges:
    - min: 1
      max: 65535

@mattmoor
Copy link
Member Author

cc @chaodaiG @chizhg How hard would it be to enable this in our e2e test environments?

@mattmoor mattmoor modified the milestones: Ice Box, Serving 0.15.x Apr 16, 2020
mattmoor added a commit to mattmoor/serving that referenced this issue Apr 16, 2020
@mattmoor
Add a PodSecurityPolicy for our controllers.
af2999c 
Related: knative#4480
@mattmoor mattmoor mentioned this issue Apr 16, 2020
Closed
@chizhg
Copy link
Member

chizhg commented Apr 16, 2020
edited

cc @chaodaiG @chizhg How hard would it be to enable this in our e2e test environments?

With the current infra it would be pretty easy, just changing https://github.com/knative/serving/blob/master/test/e2e-tests.sh#L39 to initialize $@ --skip-istio-addon --cluster-creation-flag "--enable-pod-security-policy" would create a PSP enabled cluster.

@mattmoor
Copy link
Member Author

Awesome 😍

@mattmoor
Copy link
Member Author

I'm attempting to make the e2e legs here use this to test it out: knative-extensions/net-contour#107

@mattmoor
Copy link
Member Author

Sounds like PSPs are out and OPA/Gatekeeper is the new hotness: https://www.youtube.com/watch?v=SFtHRmPuhEw&feature=youtu.be&t=920

@dprotaso dprotaso removed this from the Serving 0.15.x milestone May 26, 2020
@dprotaso dprotaso added this to the Serving 0.16.x milestone May 26, 2020
@dprotaso
Copy link
Member

Going to close this issue since PSP won't be supported in the future

From: kubernetes/kubernetes#90603

The clock is set for deprecation in 1.22 and removal of beta levels in 1.25.

@YingjingLu YingjingLu mentioned this issue Apr 7, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/test-and-release It flags unit/e2e/conformance/perf test issues for product features kind/feature Well-understood/specified features, ready for coding.
Projects
None yet
Milestone
0.16.x
Development

Successfully merging a pull request may close this issue.

Added PodSecurityPolicy support required by istio sidecar yu2003w/serving
6 participants
@dprotaso @Cynocracy @mattmoor @chizhg @knative-prow-robot @knative-housekeeping-robot