Restricted Pod E2E tests

[tallclair]

What type of PR is this?

/kind cleanup

What this PR does / why we need it:

1. Add a new MixinRestrictedPodSecurity and corresponding MustMixinRestrictedPodSecurity utilities which set the required fields to pass the restricted pod security checks, and verify that the given pod does in fact meet the requirements. These are complementary to the existing GetRestricted{Pod,Container}SecurityContext functions, but in most cases require fewer changes.
2. Update the test/e2e/common/node/pods.go tests to set the restricted namespace label and use the new utilities.

Does this PR introduce a user-facing change?

NONE

/area test
/assign @liggitt @s-urbaniak

[tallclair]

Sorry, looks like I have a little more work to do on this.

[liggitt]

does changing from nginx to pause change the lifecycle characteristics of the pod (w.r.t. handling shutdown signals)? same question applies in multiple places

[tallclair]

Good question. Both the pause container and nginx handle SIGINT and SIGTERM as a fast shutdown, which I think is what containerd uses. nginx additionally handles SIGQUIT, but I don't see any references to SIGQUIT in k/k, containerd, or cri-o.

Maybe @SergeyKanzhelev or @endocrimes have additional context.

[endocrimes]

This test doesn't cover any corner cases of shutdown so this seems ok to me 👍

[liggitt]

I'm still unsure about this... this isn't really a minimal restricted pod security context, right? shouldn't runAsNonRoot: true be sufficient?

[tallclair]

Part of my goal with these methods was that most e2e test authors can just apply MixinRestrictedPodSecurity and not think about the restricted profile at all. If we don't set RunAsUser here (and in the mixin) then for all cases other than the pause pod the test author will need to manually set a RunAsUser. They'll probably pick something random that gets cargo-culted around.

What's your argument against this?

[liggitt]

If we don't set RunAsUser here (and in the mixin) then for all cases other than the pause pod the test author will need to manually set a RunAsUser

Would they have to set it, or do you mean because the container image would have to be built to run with a non-root uid, which is uncommon?

What's your argument against this?

It would break images that expect to run with a particular non-zero uid at runtime, right?

[tallclair]

I searched through our test image manifests, and the only ones that set a user are:

• pause: user doesn't matter
• nonroot: all the tests using this override the user anyway
• windows containers: don't support Restricted for now (added TODO)

I'd prefer that the tests which require a specific user are explicit about it, rather than having all the tests that don't have an opinion set something arbitrary.

[liggitt]

rather than having all the tests that don't have an opinion set something arbitrary

but… isn't this setting something arbitrary (1000) on all tests that don't have an opinion?

[liggitt]

Is runAsUser generally needed as boilerplate, though? I thought runAsNonRoot was supposed to be sufficient.

If an e2e wanted to exercise runAsNonRoot functionality with an image that did not run as root by default and didn't want to set a runAsUser, that would mean they couldn't use GetRestrictedPodSecurityContext or MustMixinRestrictedPodSecurity to do so, because those wouldn't actually set the minimal securityContext that is compatible with the restricted PSS.

[tallclair]

1. IMO, if a test is explicitly testing the runAsNonRoot functionality (with or without a runAsUser set), then the test should be explicitly writing & managing the SecurityContext, and not deferring that to a helper.
2. There should probably be 1-2 E2E tests explicitly checking runAsNonRoot behavior. I'd prefer to optimize these convenience methods for the common path, and force those couple of tests to be write the pod manually.

[liggitt]

Ok, fair enough. Make sure the docs don't claim to produce a minimal valid restricted securityContext and doc the uid chosen

[endocrimes]

This reasoning makes sense to me 👍 - A comment summarizing this would go a long way for future readers of the framework code here tho.

[tallclair]

Updated comments.

[endocrimes]

/assign

[endocrimes]

/approve

looks good from a node pov, just needs the comment/doc updates

[tallclair]

Added comments about the default non-root user. Also squashed commits & rebased.

[tallclair]

/hold cancel

[liggitt]

/test pull-kubernetes-e2e-capz-conformance

[liggitt]

what do windows nodes do if runAsUser is non-nil? do they ignore it or fail?

[jsturtevant]

It is ignored by kubelet:

kubernetes/pkg/kubelet/kuberuntime/security_context_windows.go

Lines 46 to 49 in 68fc207

	if effectiveSc.RunAsUser != nil {
	klog.InfoS("Windows container does not support SecurityContext.RunAsUser, please use SecurityContext.WindowsOptions",
	"pod", klog.KObj(pod), "containerName", container.Name)
	}

With PodOS feature and OS field is set (in beta in 1.24) the adminsion controller would reject it:

kubernetes/staging/src/k8s.io/api/core/v1/types.go

Lines 3286 to 3307 in 976a940

	// If the OS field is set to windows, following fields must be unset:
	// - spec.hostPID
	// - spec.hostIPC
	// - spec.securityContext.seLinuxOptions
	// - spec.securityContext.seccompProfile
	// - spec.securityContext.fsGroup
	// - spec.securityContext.fsGroupChangePolicy
	// - spec.securityContext.sysctls
	// - spec.shareProcessNamespace
	// - spec.securityContext.runAsUser
	// - spec.securityContext.runAsGroup
	// - spec.securityContext.supplementalGroups
	// - spec.containers[*].securityContext.seLinuxOptions
	// - spec.containers[*].securityContext.seccompProfile
	// - spec.containers[*].securityContext.capabilities
	// - spec.containers[*].securityContext.readOnlyRootFilesystem
	// - spec.containers[*].securityContext.privileged
	// - spec.containers[*].securityContext.allowPrivilegeEscalation
	// - spec.containers[*].securityContext.procMount
	// - spec.containers[*].securityContext.runAsUser
	// - spec.containers[*].securityContext.runAsGroup
	// +optional

[liggitt]

ok, there's a TODO to avoid setting RunAsUser in MustMixinRestrictedPodSecurity for explicitly windows pods as part of the PodOS work, I just wanted to make sure this wasn't going to fail in a windows kubelet for pods that didn't explicitly indicate their OS

[jsturtevant]

So, this did break the tests because of #102849

https://prow.k8s.io/view/gs/kubernetes-jenkins/logs/ci-kubernetes-e2e-capz-master-containerd-windows/1529769915945324544

May 26 10:47:49.396: INFO: At 2022-05-26 10:44:57 +0000 UTC - event for pod-update-d046cc17-42c7-493c-8c0c-fea0e9ac3164: {kubelet capz-conf-qwm24} FailedMount: (combined from similar events): MountVolume.SetUp failed for volume "kube-api-access-9l7hz" : chown c:\var\lib\kubelet\pods\0a6b5b55-fc8f-42b4-b285-19aedc311882\volumes\kubernetes.io~projected\kube-api-access-9l7hz\..2022_05_26_10_46_59.624505313\token: not supported by windows

[liggitt]

this isn't setting RunAsUserName, but does the windows kubelet have similar problems with RunAsUser?

if so, that seems like a good reason to drop RunAsUser here

[jsturtevant]

Yes the title is slightly misleading but it states in the issue: In addition if a Windows Pod is created with a Projected Volume and RunAsUser set, the Pod will be stuck at ContainerCreating:

[liggitt]

ok. @tallclair, that's a good reason not to set RunAsUser here for pods that could run on Windows. @jsturtevant, do you mind opening a PR to drop the RunAsUser field?

[jsturtevant]

linking here for anyone following the thread #110235

[endocrimes]

/triage accepted
/priority backlog

[liggitt]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: endocrimes, liggitt, tallclair

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• test/e2e/common/OWNERS [endocrimes,liggitt,tallclair]
• test/e2e/framework/OWNERS [liggitt]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-triage-robot]

The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass.

This bot retests PRs for certain kubernetes repos according to the following rules:

• The PR does have any do-not-merge/* labels
• The PR does not have the needs-ok-to-test label
• The PR is mergeable (does not have a needs-rebase label)
• The PR is approved (has cncf-cla: yes, lgtm, approved labels)
• The PR is failing tests required for merge

You can:

• Review the full test history for this PR
• Prevent this bot from retesting with /lgtm cancel or /hold
• Help make our tests less flaky by following our Flaky Tests Guide

/retest