secprofnodestatus: Link the node profile status with profile using a custom label #685
Conversation
k8s-ci-robot
added
release-note
Codecov Report
@@ Coverage Diff @@
## master #685 +/- ##
==========================================
- Coverage 51.57% 51.22% -0.35%
==========================================
Files 31 31
Lines 2065 2079 +14
==========================================
Hits 1065 1065
- Misses 947 961 +14
Partials 53 53 |
|
hmm, apart from the verify failures the test also seem to be failing on vanilla kube..let me investigate.. |
k8s-ci-robot
added
the
do-not-merge/hold
|
I think it could be the case that we have a SELinux and a Seccomp policy with the same name... Seems to me like that would cause issues. Why not identify profiles with a combinarion of |
Yes, good idea. The labels now look like this: for short names and like this: for long names. The tests should pass now, I was an idiot and thought the |
jhrozek
force-pushed
the
label_len
branch
3 times, most recently
from
e340bf3
to
f956e4a
Compare
|
ugh I suck. I'll fix this tomorrow. |
jhrozek
force-pushed
the
label_len
branch
4 times, most recently
from
1784daf
to
410a112
Compare
|
@saschagrunert @pjbgf @JAORMX I'm having trouble running the make verify target locally to get the same error or understand how to fix it. Locally I'm running: I have the same golangci version and I'm running go 1.17. How do I fix the linter issues? |
|
OK, "solved". I spun up a local toolbox container and installed the bpf libraries using the hack-XXX scripts. For some reason that did help. |
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
|
FWIW, I think the fedora test failure is unrelated. That test had passed in the previous iteration of this PR. |
internal/pkg/util/names.go
Outdated
| // If that's too long, just hash the name. It's not very user friendly, but whatever | ||
| // | ||
| // We can suppress the gosec warning about sha1 here because we don't use sha1 for crypto | ||
| // purposes, but only as a string shortener | ||
| // nolint:gosec | ||
| hasher := sha1.New() |
There was a problem hiding this comment.
Completely understand the rational here. I would probably use sha256 though, given the project's focus in security we should refrain from taking dependencies on algorithmns or libraries that are known to be weak/vulnerable.
This may also be a problem for users in high compliance sectors, as this is not NIST compliant.
There was a problem hiding this comment.
Thank you for the review. I understand where you're coming from, but the problem is the 64 characters length that labels are restricted to in k8s. Consider this (it's python but I hope it's readable nonetheless):
In [5]: hashlib.sha1('foo'.encode()).hexdigest()
Out[5]: '0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33'
In [6]: hashlib.sha256('foo'.encode()).hexdigest()
Out[6]: '2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae'
In [7]: len(hashlib.sha1('foo'.encode()).hexdigest())
Out[7]: 40
In [8]: len(hashlib.sha256('foo'.encode()).hexdigest())
Out[8]: 64
so sha256 doesn't already fit on its own:
kubectl label sp log-enricher-trace hash=2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae
error: invalid label value: "hash=2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae": must be no more than 63 characters
One thing we could do (but..it's kindof a hack..) is to trim the length a bit, e.g. use an equivalent of git's abbrev and fall back to using the full hash without prefix if there is a collision, which frankly is quite unlikely. And even if there was a collision, it wouldn't be that much of a deal as the hash is not used for any security critical functionality, just a link between two objects.
There was a problem hiding this comment.
If you are cool with using sha256, trimming the tail end of it is a common approach which slighty increases chance of collision but that isn't a problem on that case - and less likely to occur than sha1 anyway.
Otherwise, would you be opposed to simply restricting the size of profile name and using that instead?
In both the approaches above, any concerns around name collision through profiles with the same name deployed in different namespaces?
Now if this can be non-deterministic, we could also just append the hex of some random values at the tail end using rand.Read(buf).
There was a problem hiding this comment.
If you are cool with using sha256, trimming the tail end of it is a common approach which slighty increases chance of collision but that isn't a problem on that case - and less likely to occur than sha1 anyway.
How much is reasonable to trim? As little as possible to fill the 63 characters?
Otherwise, would you be opposed to simply restricting the size of profile name and using that instead?
I would not be opposed to that. The only catch is that we use sometimes derive security profile resources from other resources (e.g. we derive from recording name), so we need to be careful and restrict them all or we might be unable to generate the profiles later.
In both the approaches above, any concerns around name collision through profiles with the same name deployed in different namespaces?
Both objects are namespaced and live in the same namespace, so I think using the namehash is no different than using the plain name. Or did you have some other issue in mind?
Now if this can be non-deterministic, we could also just append the hex of some random values at the tail end using rand.Read(buf).
I honestly prefer deterministic at least to make testing easier.
There was a problem hiding this comment.
ok, let me start by trimming the hash and in parallel look at limiting the name. We can compare the two approaches then (and see test results!)
There was a problem hiding this comment.
How much is reasonable to trim? As little as possible to fill the 63 characters?
Yep, as little as possible would be ideal.
I would not be opposed to that. The only catch is that we use sometimes derive security profile resources from other resources (e.g. we derive from recording name), so we need to be careful and restrict them all or we might be unable to generate the profiles later.
Very good point. That's definitely something we want to get right and aligned sooner rather than later.
Both objects are namespaced and live in the same namespace, so I think using the namehash is no different than using the plain name. Or did you have some other issue in mind?
That's right - same issue in both cases. I was thinking this could be a problem when we deploy SPO to watch multiple namespaces for Security Profiles, which I think we still support - but not completely sure.
…custom label We were using the profile name as the value of the spo.x-k8s.io/profile-name label to be able to list node profile statuses for a profile. This is user-friendly but would fail in case the profile name was longer than 64 characters as that's the label size limit. Instead, let's rename the label to spo.x-k8s.io/profile-id. In case the profile name is shorter than the limit, let's still use the name because it's user-friendly, but in case the name is longer, let's instead use a sha1 hash of the name with the profile Kind as a prefix. Using sha1 is OK in this case, because we're not using it for any crypto purposes, just to shorten a name.
|
OK, for now I've changed the hash to use sha256. Still todo is to look at name length validation and check the multi-namespace labels. |
|
/retest |
|
OK, for limiting the name we have basically two options:
Thoughts @pjbgf ? |
|
/test pull-security-profiles-operator-test-e2e |
|
/test pull-security-profiles-operator-test-verify |
|
@pjbgf: The specified target(s) for
Use In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/test pull-security-profiles-operator-verify |
|
fedora-e2e failed after running for over 50 minutes - retriggering it now. |
happy to take this approach for now. |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jhrozek, pjbgf The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/test pull-security-profiles-operator-test-e2e |
|
/test pull-security-profiles-operator-verify |
1 similar comment
|
/test pull-security-profiles-operator-verify |
|
/override pull-security-profiles-operator-verify |
|
@saschagrunert: Overrode contexts on behalf of saschagrunert: pull-security-profiles-operator-verify In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What type of PR is this?
/kind cleanup
What this PR does / why we need it:
We were using the profile name as the value of the spo.x-k8s.io/profile-name
label to be able to list node profile statuses for a profile. This is
user-friendly but would fail in case the profile name was longer than 64
characters as that's the label size limit.
Instead, let's rename the label to spo.x-k8s.io/profile-id. In case the
profile name is shorter than the limit, let's still use the name because
it's user-friendly, but in case the name is longer, let's instead use a
sha1 hash of the name with the profile Kind as a prefix.
Using sha1 is OK in this case, because we're not using it for any crypto
purposes, just to shorten a name.
Which issue(s) this PR fixes:
Fixes #408
Does this PR have test?
Yes
Special notes for your reviewer:
N/A
Does this PR introduce a user-facing change?