Added image-policy proposal #27129
Added image-policy proposal #27129
Conversation
k8s-github-robot
added
kind/design
|
@philips it might make sense to have https://github.com/coreos/clair be a backend for this image policy webhook, or something like that? Can you at-mention the right people from Clair? Also @ericchiang because it is a type of authorization, but intentionally not in RBAC. |
| - For non-replicated things (size 1 ReplicaSet, PetSet), a single node failure may disable it. | ||
| - a node rolling update will eventually check for liveness of replacements, and would be throttled if | ||
| in the case when the image was no longer allowed and so replacements could not be started. | ||
| - rapid node restarts will cause existing pod objects to be restared by kubelet. |
| } | ||
|
|
||
| // ImageReviewSpec is a description of the token authentication request. | ||
| type ImageReviewSpec struct { |
There was a problem hiding this comment.
Do we need to know the authenticated user / service account that is attempting to perform this action? Who can matter as much as what in this case.
There was a problem hiding this comment.
Nm, saw the comment below. Commented there.
|
xref: #22888 |
| - a newly created replicaSet will be unable to create Pods. | ||
| - updating a deployment will be safe in the sense that it will detect that the new ReplicaSet is not scaling | ||
| up and not scale down the old one. | ||
| - an existing replicaSet will not be unable to create Pods that replace ones which are terminated. If this is due to |
There was a problem hiding this comment.
nit: "will not be unable to create" -> "will be unable to create"
|
|
||
| ## Admission controller | ||
|
|
||
| An `ImagePolicyWebhook` admission controller will be written. The admission controller examines all pod objects which are |
There was a problem hiding this comment.
Is the webhook going to be tried until success? How would it distinguish retryable failure from permanent failure?
There was a problem hiding this comment.
The admission controller will admit if the webhook times out.
There was a problem hiding this comment.
Will the admin be able to set a policy for a namespace (e.g., fail-open/fail-closed)?
There was a problem hiding this comment.
Will this be a generic webhook for any admission plugin? I'd like to see a generic one and it seems like the work here would be about the same.
There was a problem hiding this comment.
It will not be a generic webhook. A generic webhook would need a lot more discussion:
- a generic webhook needs to touch all objects, not just pods. So it won't have a fixed schema
- a generic webhook client needs to ignore kinds it doesn't care about, or the apiserver needs to know which backends care about which kinds
- it exposes our whole API to a webhook without giving us (the project) any chance to review or understand how it is being used.
- because we don't know which fields of an object are inspected by the backend, caching is not effective. Sending fewer fields allows caching.
- sending fewer fields makes it possible to rev the version of the webhook request slower than the version of our internal obejcts (e.g. pod v2 could still use imageReview v1.)
- probably lots more reasons.
There was a problem hiding this comment.
Added section about this in Alternatives section.
|
@fabioy this is the proposal for image admission controller that we talked about. |
| - only run images that are scanned to confirm they do no contain vulnerabilities | ||
| - only run images that use a "required" base image | ||
| - only run images that contain binaries which were built from peer reviewed, checked-in source | ||
| by a trusted compiler toolchain. |
There was a problem hiding this comment.
@erictune isn't the other obvious example images that are signed by a public key in a key list?
There was a problem hiding this comment.
Yes. I would do that in conjunction with other controls. I might want to also enforce the whitelist of signing keys at the node level, at which point the check in the apiserver is more a nice-to-have. But you could do it that way.
There was a problem hiding this comment.
Adding your suggestion to the doc.
|
I've addressed most comments and updated the docs. The open issues, as I see it, are:
|
|
Interfaces was about making the guts of the admission controller call
a policy interface that looks like Authorizer and Admission
interfaces, because it imposes discipline and also may lead to
experimentation.
|
|
cc the Clair team @Quentin-M @jzelinskie @josephschorr |
| ## Admission controller | ||
|
|
||
| An `ImagePolicyWebhook` admission controller will be written. The admission controller examines all pod objects which are | ||
| created or updated. It can either admit the pod, or reject it. If it is rejected, the request sees a `403 FORBIDDEN` |
There was a problem hiding this comment.
This description is a little vague in the plurality sense. I think this should work over a set of webhooks rather than one. For example, this Pull Request on GitHub has multiple webhooks that must validate it before it is merged.
There was a problem hiding this comment.
I kinda understood this as being able to setup multiple, but having it explicit in the proposal is a good idea.
There was a problem hiding this comment.
This description is a little vague in the plurality sense. I think this should work over a set of webhooks rather than one. For example, this Pull Request on GitHub has multiple webhooks that must validate it before it is merged.
Seems like we could support a single callout and if someone wanted a union, they could write the union in their particular handler. That keeps our core code out of the business of deciding between the ands, ors, and trumps, which inevitably follow the "give me more than one".
I don't see an issue with making a reference impl for the webhook that can provide a simple union, but I don't think we want to bake multiples into our admission plugin.
There was a problem hiding this comment.
@deads2k It seems there's precedent in other parts of k8s for doing it the way you have described, so I agree.
k8s-github-robot
added
the
do-not-merge
| The WebHook request and response are JSON, and correspond to the following `go` structures: | ||
|
|
||
| ```go | ||
| // Filename: pkg/apis/authentication.k8s.io/register.go |
There was a problem hiding this comment.
Are these types intended to live in the authentication.k8s.io API group? Is the package name correct here?
|
|
||
| // ImageReviewContainerSpec is a description of a container within the pod creation request. | ||
| type ImageReviewContainerSpec struct { | ||
| Image string |
There was a problem hiding this comment.
Shouldn't this be Image, ImageHash string?
There was a problem hiding this comment.
Images can be specified to docker, and in pod.spec.container[].image as either image:tag or image@SHA:012345679abcdef. So, this field also accepts either format.
It is up to the backend to decide if it accepts image:tag or only accepts image@SHA:012345679abcdef format. There are reasons you might chose to do either way, so this API doesn't have an opinion.
Q-Lee
added
the
lgtm
|
This is very close. Let's put this and I'll make the remaining changes in a new, narrower PR. |
k8s-github-robot
removed
the
lgtm
|
GCE e2e build/test passed for commit 9d59ae5. |
Added image-policy proposal
Add proposal for image policy.