Add node-level plugin support for pod admission handler

[SaranBalaji90]

This is initial proposal doc for adding "out of tree" plugin support for pod admission handler. It is not currently possible to add additional validations (without changing kubelet code) before admitting the Pod. This PR provides flexibility for adding such validations without updating kubelet source code.

[k8s-ci-robot]

Welcome @SaranBalaji90!

It looks like this is your first PR to kubernetes/enhancements 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/enhancements has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @SaranBalaji90. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[riking]

Should this be integrated with the CRI?

[riking]

"Cluster admins could simply set the 'node' field of a pod, bypassing any constraints enforced by a scheduler or its plugins, such as taints."

[derekwaynecarr]

its not clear it makes sense to protect against the cluster admin ability to circumvent security policies.

[riking]

A finished KEP describes an enhancement, and is not an invitation to discussion.

[SaranBalaji90]

@riking sorry, meant to say this KEP is to propose changes to move some stuff out of k8s source code. Will update this along with implementation detail of whatever we decide on.

[SaranBalaji90]

Should this be integrated with the CRI?

that's a good suggestion. Haven't looked at CRI in depth, will take a look at this.

[derekwaynecarr]

I am not adverse to additional plugins for kubelet admission that are not compiled w/ the kubelet, but I feel like the kubelet should have the function to validate the pod spec.

[derekwaynecarr]

nit: s/docker/container-engine to reflect cri

[derekwaynecarr]

its not clear it makes sense to protect against the cluster admin ability to circumvent security policies.

[derekwaynecarr]

are there specific scenarios you have in mind?

[derekwaynecarr]

i think this inverses the problem. the expectation is that a node can satisfy the pod spec requirements. the container runtime is a detail.

[SaranBalaji90]

We discussed about this during our Jan 21st sig/node meeting. Will update the KEP and bring it up again in upcoming sig/node meeting.

[k8s-ci-robot]

@SaranBalaji90: The following test failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
pull-enhancements-verify	aab0d07	link	/test pull-enhancements-verify

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[derekwaynecarr]

/assign

discussed in sig-node on 4/21, will review and reflect on potential issues.

• what happens if a pod is rejected by this admission plugin?
• could a status get reported on why the rejection happened?
• similar issue has arisen with in-tree admission handlers in kubelet today
• what is anticipated maintenance cycle of this plugin?
• does it tie to kubelet readiness (akin to CNI)?
• have you considered a scheduler extension instead of a node local kubelet approach?

[dashpole]

/cc

[AlexeyPerevalov]

I dealt with CNI while developed kuryr-kubernetes CNI plugin. And I found cmd line interface of CNI is little bit out dated, it doesnt' conform to actual state, since all known for me CNI nowdays use daemons in runtime/and persistently run in pod and cmd line client to connect to its daemon. So RPC is better, what kind of RPC it's another question. I liked the way podresources were implemeted or device plugins. If neceserity this feature will be proven, I vote for the solution based on RPC (gRPC) working through unix domain socket.

[SaranBalaji90]

Under design, I have included the structs for configuration file. There I specified three options for plugin types - binary file, unix socket and local grpc server. We can decide if we need to support just unix socket and remove the other two.

[derekwaynecarr]

unlike device plugins or cni, there is an implication that no other pod is running on this host as part of bootstrapping the host. dns and sdn is configured outside of kube-api model itself.

[derekwaynecarr]

are daemonset pods targeting this node type? is there a dns plugin or sdn configured via a daemonset? do things like a node exporter or similar monitoring components exclude this node type?

[SaranBalaji90]

Currently daemonset pods doesn't run on these node types. But that's something we are looking into.

[derekwaynecarr]

the implication here is that dynamic kubelet configuration is disabled on managed nodes.

[SaranBalaji90]

That's right. I guess you meant, if its enabled then users can update the kubelet configuration and change the plugin dir?

[derekwaynecarr]

similar to kube-apiserver admission configuration, i could see wanting to enable more flexibility here outside of a file based configuration surface on the local kubelet. maybe kubelet can source its admission configuration from multiple sources so future scenarios could allow node local extension where desired.

[SaranBalaji90]

That's a good idea. I guess you mean we shouldn't stick with just file based configuration to read the plugin details but this could also be extended in future to read from different sources.

[tallclair]

Whereas the latter may be deactivated or removed by Kubernetes cluster administrators, the former node-local checks cannot be disabled.

This doesn't make much sense to me. Why are node-local checks different?

[SaranBalaji90]

@tallclair node-local checks can be same, its just that these validations cant be removed by cluster administrator, whereas validation webhooks or psp can be removed by cluster admins.

[tallclair]

See #1712, which proposes static admission webhooks. Does that address this concern?

[tallclair]

they represent a final defense against malicious actors and misconfigured Pods

I think it's worth keeping this 2 use cases separate. It makes sense to me to have some protection against misconfigured pods, since not all configuration details are available at the cluster level. However, I'm more skeptical of node-level admission offering a increase in security over cluster-level admission.

[SaranBalaji90]

makes sense, will update this. Also, we do perform validations in the control plane and block such misconfigured pods. But if cluster admins removes webhook/psp or have their own scheduler that bypasses our checks then we need something on the node to block such pods from running.

[tallclair]

nit: please linewrap the whole document (I like 80 chars) so that it's easier to leave comments on parts of the paragraph.

[SaranBalaji90]

Sorry about that. Will update the doc.

[tallclair]

This reads like you considered some built-in policy controls that didn't work, and then jumped to building a new node-level custom policy enforcement mechanism. What about custom cluster-level policy? We already have AdmissionWebhooks for exactly that reason. If your concern is a clusteradmin being able to mess with the admission webhook, then I would rather consider a statically configured admission webhook (I think this has already been proposed elsewhere?) before proposing a completely new mechanism in the kubelet.

[SaranBalaji90]

Even with static admission webhook, the problem is we will put heavy load on the controllers right, because webhook is going to reject and controller will keep creating the pods. But adding it as soft admit handler in kubelet, will not put pressure on controllers.

[SaranBalaji90]

Also, if I'm not wrong users in system:masters group can delete the validation webhook right.

[tallclair]

BTW, #1712 is the proposal I was referring to.

the problem is we will put heavy load on the controllers right, because webhook is going to reject and controller will keep creating the pods.

Controllers will back off. I'm not sure if they treat a rejection on pod creation differently from a failed pod.

[tallclair]

Suggested change

	"type": "fargatecheck",
	"name": "fargatecheck",

[tallclair]

What is the interface for the shell type? Send over stdin, and get a response over stdout?

[SaranBalaji90]

yes, this is similar to how CNI operates today (passing required parameters using env variable and read the response over stdout).

[tallclair]

How does bootstrapping work? For the non-shell types, it looks like the assumption is that the server is running prior to the Kubelet?

[SaranBalaji90]

yes your right server should be running before kubelet can accept pods. I was initially thinking about managing these by the same component that manages kubelet. For eg in linux env, managing it through systemd process. But more I think about this, shell type might be simpler for this approach. Users don't have to monitor one more component on the host. Happy to hear your feedback here.

[tallclair]

What are the failure modes? Fail open or fail closed? How would a failure be debugged? Would kubelet start if it couldn't connect to an admission hook?

[SaranBalaji90]

It should be fail closed, reason being if we can't validate the spec and admit the pod then whatever we are trying to protect might be violated. Kubelet can start even if it couldn't connect to an admission hook, but will not accept pods without validating the pod spec with the plugin.

[tallclair]

Please add these details to the KEP.

[tallclair]

A problem with the existing kubelet admission approach is that it can cause controllers to thrash. E.g. what if a DaemonSet controller is trying to schedule a pod on the Kubelet, and the kubelet keeps rejecting it?

[SaranBalaji90]

Your right about this, but if a pod is rejected by soft admit handler then this doesn't apply right.

[tallclair]

Yeah. Historically soft-reject was added because controllers treated a failed pod differently from an error on create. I think this has since been resolved, and controllers should properly backoff on failed pods. It would be good to clarify these interactions in the KEP.

[tallclair]

Would admission still apply to static pods?

[SaranBalaji90]

Good question, I will look into this. Not sure if kubelet invokes admit handlers for static pods.

[tallclair]

Whatever you conclude, please update the KEP to include it.

[SaranBalaji90]

Looks like admit handlers are invoked on static pods too. I will update the KEP to reflect this. Thanks.

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[fejta-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

[fejta-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

[k8s-ci-robot]

@fejta-bot: Closed this PR.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[SaranBalaji90]

We didn't go with this approach as https://github.com/kubernetes/enhancements/tree/master/keps/sig-api-machinery/1872-manifest-based-admission-webhooks will help to achieve the same result.