-
Notifications
You must be signed in to change notification settings - Fork 38.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added image-policy proposal #27129
Added image-policy proposal #27129
Conversation
@philips it might make sense to have https://github.com/coreos/clair be a backend for this image policy webhook, or something like that? Can you at-mention the right people from Clair? Also @ericchiang because it is a type of authorization, but intentionally not in RBAC. |
- For non-replicated things (size 1 ReplicaSet, PetSet), a single node failure may disable it. | ||
- a node rolling update will eventually check for liveness of replacements, and would be throttled if | ||
in the case when the image was no longer allowed and so replacements could not be started. | ||
- rapid node restarts will cause existing pod objects to be restared by kubelet. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/restared/restarted/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
} | ||
|
||
// ImageReviewSpec is a description of the token authentication request. | ||
type ImageReviewSpec struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need to know the authenticated user / service account that is attempting to perform this action? Who can matter as much as what in this case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nm, saw the comment below. Commented there.
xref: #22888 |
- a newly created replicaSet will be unable to create Pods. | ||
- updating a deployment will be safe in the sense that it will detect that the new ReplicaSet is not scaling | ||
up and not scale down the old one. | ||
- an existing replicaSet will not be unable to create Pods that replace ones which are terminated. If this is due to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: "will not be unable to create" -> "will be unable to create"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed.
|
||
## Admission controller | ||
|
||
An `ImagePolicyWebhook` admission controller will be written. The admission controller examines all pod objects which are |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the webhook going to be tried until success? How would it distinguish retryable failure from permanent failure?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The admission controller will admit if the webhook times out.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will the admin be able to set a policy for a namespace (e.g., fail-open/fail-closed)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will this be a generic webhook for any admission plugin? I'd like to see a generic one and it seems like the work here would be about the same.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It will not be a generic webhook. A generic webhook would need a lot more discussion:
- a generic webhook needs to touch all objects, not just pods. So it won't have a fixed schema
- a generic webhook client needs to ignore kinds it doesn't care about, or the apiserver needs to know which backends care about which kinds
- it exposes our whole API to a webhook without giving us (the project) any chance to review or understand how it is being used.
- because we don't know which fields of an object are inspected by the backend, caching is not effective. Sending fewer fields allows caching.
- sending fewer fields makes it possible to rev the version of the webhook request slower than the version of our internal obejcts (e.g. pod v2 could still use imageReview v1.)
- probably lots more reasons.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added section about this in Alternatives section.
@fabioy this is the proposal for image admission controller that we talked about. |
- only run images that are scanned to confirm they do no contain vulnerabilities | ||
- only run images that use a "required" base image | ||
- only run images that contain binaries which were built from peer reviewed, checked-in source | ||
by a trusted compiler toolchain. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@erictune isn't the other obvious example images that are signed by a public key in a key list?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. I would do that in conjunction with other controls. I might want to also enforce the whitelist of signing keys at the node level, at which point the check in the apiserver is more a nice-to-have. But you could do it that way.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Adding your suggestion to the doc.
I've addressed most comments and updated the docs. The open issues, as I see it, are:
|
Interfaces was about making the guts of the admission controller call
a policy interface that looks like Authorizer and Admission
interfaces, because it imposes discipline and also may lead to
experimentation.
|
cc the Clair team @Quentin-M @jzelinskie @josephschorr |
## Admission controller | ||
|
||
An `ImagePolicyWebhook` admission controller will be written. The admission controller examines all pod objects which are | ||
created or updated. It can either admit the pod, or reject it. If it is rejected, the request sees a `403 FORBIDDEN` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This description is a little vague in the plurality sense. I think this should work over a set of webhooks rather than one. For example, this Pull Request on GitHub has multiple webhooks that must validate it before it is merged.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I kinda understood this as being able to setup multiple, but having it explicit in the proposal is a good idea.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This description is a little vague in the plurality sense. I think this should work over a set of webhooks rather than one. For example, this Pull Request on GitHub has multiple webhooks that must validate it before it is merged.
Seems like we could support a single callout and if someone wanted a union, they could write the union in their particular handler. That keeps our core code out of the business of deciding between the ands, ors, and trumps, which inevitably follow the "give me more than one".
I don't see an issue with making a reference impl for the webhook that can provide a simple union, but I don't think we want to bake multiples into our admission plugin.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I feel convinced.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@deads2k It seems there's precedent in other parts of k8s for doing it the way you have described, so I agree.
The WebHook request and response are JSON, and correspond to the following `go` structures: | ||
|
||
```go | ||
// Filename: pkg/apis/authentication.k8s.io/register.go |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are these types intended to live in the authentication.k8s.io
API group? Is the package name correct here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, fixed.
|
||
// ImageReviewContainerSpec is a description of a container within the pod creation request. | ||
type ImageReviewContainerSpec struct { | ||
Image string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this be Image, ImageHash string?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Images can be specified to docker, and in pod.spec.container[].image
as either image:tag
or image@SHA:012345679abcdef
. So, this field also accepts either format.
It is up to the backend to decide if it accepts image:tag
or only accepts image@SHA:012345679abcdef
format. There are reasons you might chose to do either way, so this API doesn't have an opinion.
This is very close. Let's put this and I'll make the remaining changes in a new, narrower PR. |
GCE e2e build/test passed for commit 9d59ae5. |
Added image-policy proposal
Add proposal for image policy.