Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Forbid empty AppArmor localhost profile #108143

Merged
merged 3 commits into from
Feb 16, 2022
Merged

Forbid empty AppArmor localhost profile #108143

merged 3 commits into from
Feb 16, 2022

Conversation

tallclair
Copy link
Member

@tallclair tallclair commented Feb 15, 2022
edited

What type of PR is this?

/kind bug

What this PR does / why we need it:

#97966 removed the requirement that AppArmor profiles be pre-loaded, but in doing so opened up localhost/ as a valid profile. When localhost/ gets passed to the CRI runtime, it strips out the localhost/ prefix before passing the empty string to runc, which then treats it as unconfined. The end result is that localhost/ is equivalent to unconfined, and could be used to evade admission policies that explicitly forbid the use of unconfined.

Also adds a pkg/security/apparmor/OWNERS file (owned by sig-node), so AppArmor changes don't require top-level approval.

Special notes for your reviewer:

Note that this validation would ideally be done as part of API validation, but because of #64841 the Kubelet just performs the check on pod admission (to the node).

Does this PR introduce a user-facing change?

#97966 was only pushed out in an alpha release, so no user-facing changes are introduced here.

NONE

/sig node
/assign @saschagrunert
/cc @liggitt

@k8s-ci-robot k8s-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Feb 15, 2022
@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. sig/node Categorizes an issue or PR as relevant to SIG Node. labels Feb 15, 2022
@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Feb 15, 2022
@k8s-ci-robot
Copy link
Contributor

@tallclair: This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-priority Indicates a PR lacks a `priority/foo` label and requires one. label Feb 15, 2022
@tallclair
Copy link
Member Author

Added a pkg/security/apparmor/OWNERS file (owned by sig-node), so AppArmor changes don't require top-level approval.

@k8s-ci-robot k8s-ci-robot added the do-not-merge/invalid-owners-file Indicates that a PR should not merge because it has an invalid OWNERS file in it. label Feb 15, 2022
@liggitt
Copy link
Member

liggitt commented Feb 15, 2022
edited

Added a pkg/security/apparmor/OWNERS file (owned by sig-node), so AppArmor changes don't require top-level approval.

fwiw, ValidateProfileFormat is called from ValidateAppArmorPodAnnotations and ValidatePodSecurityPolicySpecificAnnotations in API validation, so at least some parts of this package are REST API-facing

what can we do to avoid accidentally making changes to those functions in an uncontrolled way that doesn't consider the ratcheting required by API validation changes?

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/invalid-owners-file Indicates that a PR should not merge because it has an invalid OWNERS file in it. label Feb 16, 2022
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Feb 16, 2022
@tallclair
Copy link
Member Author

I moved the validation method to the API validation package.

/assign @liggitt

@k8s-ci-robot k8s-ci-robot added sig/apps Categorizes an issue or PR as relevant to SIG Apps. sig/auth Categorizes an issue or PR as relevant to SIG Auth. labels Feb 16, 2022
@saschagrunert
Copy link
Member

/test pull-kubernetes-unit

saschagrunert
saschagrunert approved these changes Feb 16, 2022
View reviewed changes
Copy link
Member

@saschagrunert saschagrunert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one nit, otherwise LGTM

pkg/apis/core/validation/validation.go Show resolved Hide resolved
@saschagrunert
Copy link
Member

/test pull-kubernetes-unit

@liggitt
Copy link
Member

liggitt commented Feb 16, 2022

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 16, 2022
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, saschagrunert, tallclair

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 16, 2022
@k8s-ci-robot k8s-ci-robot merged commit e8d0009 into kubernetes:master Feb 16, 2022
SIG Node PR Triage automation moved this from Triage to Done Feb 16, 2022
@k8s-ci-robot k8s-ci-robot added this to the v1.24 milestone Feb 16, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@saschagrunert saschagrunert saschagrunert approved these changes

@liggitt liggitt liggitt left review comments

Assignees

@saschagrunert saschagrunert

@liggitt liggitt

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. release-note-none Denotes a PR that doesn't merit a release note. sig/apps Categorizes an issue or PR as relevant to SIG Apps. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/node Categorizes an issue or PR as relevant to SIG Node. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
SIG Node PR Triage
Archived in project
SIG Node PR Triage
Done
Milestone
v1.24
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@tallclair @k8s-ci-robot @liggitt @saschagrunert