Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add apparmor and seccomp to PodSecurityPolicy #22159

Closed
thockin opened this issue Feb 29, 2016 · 14 comments
Closed

Add apparmor and seccomp to PodSecurityPolicy #22159

thockin opened this issue Feb 29, 2016 · 14 comments
Assignees
@timstclair
Labels
priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/node Categorizes an issue or PR as relevant to SIG Node.
Milestone
v1.4

Comments

@thockin
Copy link
Member

thockin commented Feb 29, 2016

I was speaking with a customer this week who has a fairly established app stack using apparmor. As we explored how to make it work in Kubernetes it dawned on me that, even if the config of an apparmor profile is opaque, the existence of it can be exposed in the API and carried all the way down to container runtime (e.g. Docker).

We could do something like:

type SecurityContext struct { 
   ...
   SecurityProfileName string
}

type SecurityProfile struct {
    TypeMeta
    ObjMeta
    SecurityProfileSource `json:,inline`
}

type  SecurityProfileSource struct {
   // one of the following
   SELinux SELinuxOptions
   AppArmor string
}

Just jotting notes for future work. We'll want to accommodate seccomp before long and who know what else.
@thockin
Copy link
Member Author

thockin commented Feb 29, 2016

@pmorie @smarterclayton @erictune

@smarterclayton
Copy link
Contributor

With SELinux we made the assumption that your policy across the cluster was either homogenous, or that you were responsible for defining a pattern and applying it and controlling access to nodes. Does the indirection from pod to profile have any particular benefit or disadvantages? For selinux it's been a fairly mechanical range / enforcement usage, although we're starting to ask how to propagate assigned labels from pod to PVC to PV.

@erictune
Copy link
Member

We have this. It is called PodSecurityPolicy.

The type is checked in. Enforcement code is not in yet.
@pweil- what is timeline for upstreaming more of this?

@erictune
Copy link
Member

@pweil- any plans to add seccomp support?

@pweil-
Copy link
Contributor

pweil- commented Feb 29, 2016

@erictune I'll be able to focus more on this when we close out 1.2 (which mostly corresponds to our 3.2) so likely in after the next sprint.

I'd like to add the seccomp support somewhere in the PSP. I haven't thought through where the actual profile lives and how it makes its way to the node if we're not expecting it to be there already.

@thockin
Copy link
Member Author

thockin commented Mar 2, 2016

Awesome. Since I clearly can't read every PR (sad face), I'll pick a
couple nits here:

The yaml is going to be pretty mouthy for SELinux:

kind: PodSecurityPolicy
spec:
    seLinuxContext:
        type: MustRunAs
        seLinuxOptions:
            user: foo

Could we reduce it to:

kind: PodSecurityPolicy
spec:
    seLinux:
        rule: MustRunAs
        options:
            user: foo

In the next cycle we'll need to add apparmor here, and we can discuss the
details at that time.

Tim

On Mon, Feb 29, 2016 at 10:19 AM, Paul Weil notifications@github.com
wrote:

@erictune https://github.com/erictune I'll be able to focus more on
this when we close out 1.2 (which mostly corresponds to our 3.2) so likely
in after the next sprint.

I'd like to add the seccomp support somewhere in the PSP. I haven't
thought through where the actual profile lives and how it makes its way to
the node if we're not expecting it to be there already.


Reply to this email directly or view it on GitHub
#22159 (comment)
.

@pweil-
Copy link
Contributor

pweil- commented Mar 2, 2016

👍

@erictune
Copy link
Member

erictune commented Mar 2, 2016

And seccomp modes and filters?

On Wed, Mar 2, 2016 at 5:52 AM, Paul Weil notifications@github.com wrote:

[image: 👍]


Reply to this email directly or view it on GitHub
#22159 (comment)
.

@thockin
Copy link
Member Author

thockin commented Mar 3, 2016

something like #22419 ?

On Wed, Mar 2, 2016 at 5:52 AM, Paul Weil notifications@github.com wrote:

[image: 👍]


Reply to this email directly or view it on GitHub
#22159 (comment)
.

@thockin thockin changed the title Do we need an abstraction for "security profile" ? Add apparmor and seccomp to PodSecurityPolicy Mar 3, 2016
@thockin
Copy link
Member Author

thockin commented Mar 3, 2016

Retitled to better reflect current needs :)

@erictune
Copy link
Member

erictune commented Mar 3, 2016

Lemme compare that to
#22402

On Thu, Mar 3, 2016 at 12:01 AM, Tim Hockin notifications@github.com
wrote:

something like #22419 ?

On Wed, Mar 2, 2016 at 5:52 AM, Paul Weil notifications@github.com
wrote:

[image: 👍]


Reply to this email directly or view it on GitHub
<
#22159 (comment)

.


Reply to this email directly or view it on GitHub
#22159 (comment)
.

erictune added a commit to erictune/kubernetes that referenced this issue Mar 3, 2016
@erictune
Rename PodSecurityPolicy fields
4d090bf 
In podSecurityPolicy:
1. Rename .seLinuxContext to .seLinux
2. Rename .seLinux.type to .seLinux.rule
3. Rename .runAsUser.type to .runAsUser.rule
4. Rename .seLinux.SELinuxOptions

1,2,3 as suggested by thockin in kubernetes#22159.
I added 3 for consistency with 2.
@erictune erictune added sig/auth Categorizes an issue or PR as relevant to SIG Auth. and removed area/security labels Apr 12, 2016
@bgrant0607 bgrant0607 added team/cluster sig/node Categorizes an issue or PR as relevant to SIG Node. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. and removed team/ux labels May 6, 2016
@dchen1107 dchen1107 added this to the v1.4 milestone Jun 29, 2016
@timstclair timstclair mentioned this issue Jul 14, 2016
Open
19 tasks
@sttts
Copy link
Contributor

sttts commented Jul 15, 2016

Seccomp PSP support is on its way: #28300

@philips
Copy link
Contributor

philips commented Jul 15, 2016

How does this play with the CRI? https://github.com/kubernetes/kubernetes/blob/master/docs/proposals/container-runtime-interface-v1.md

cc @yujuhong ?

@yujuhong
Copy link
Contributor

We will have to extend CRI to support this as well. There are a few things in the pipeline that we will need to add later, and this is one of them. Let me file an issue.

@yujuhong yujuhong mentioned this issue Jul 15, 2016
Closed
3 tasks
@yujuhong yujuhong mentioned this issue Sep 26, 2016
Closed
25 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@timstclair timstclair

Labels
priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/node Categorizes an issue or PR as relevant to SIG Node.
Projects
None yet
Milestone
v1.4
Development

No branches or pull requests