Allow PSP's to specify a whitelist of allowed paths for host volume #43946
Conversation
|
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://github.com/kubernetes/kubernetes/wiki/CLA-FAQ to sign the CLA. Once you've signed, please reply here (e.g. "I signed it!") and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
the
cncf-cla: no
k8s-github-robot
added
kind/api-change
|
This change is |
|
Hi @jhorwit2. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
jhorwit2
force-pushed
the
jah/host-path-psp
branch
from
83195d9
to
791bbe2
Compare
k8s-ci-robot
added
cncf-cla: yes
| } | ||
| } | ||
|
|
||
| return fmt.Errorf("Host path %s is not allowed to be used. Allowed host paths: %v", hostPath, allowedPaths) |
There was a problem hiding this comment.
|
It's a bit confusing that release note and PSP member imply path names but algorithm working like path prefix. I think it's counter-intuitive. Could we improve this? Also I would better to use strict comparison by default. I could imagine situation when dir contains two project dirs named What do you think about adding support for special |
|
@mfischer-zd (as initial requester) what do you think about suggested behavior? Is it ok? |
|
I was going back and forth on strict vs prefix. I didn't think about the example you said ( With |
|
My own view is that prefixes that look like mount points (with an implicit |
There was a problem hiding this comment.
I like where this is going. In addition to the question posed by @php-coder on syntax:
Should we validate against the host plugin for this to be set and throw errors if not or does it make sense to allow this to exist even with no host volume in Volumes?
Using an attached slice like this means you need a permutation of the PSP every time you want to give some (but not others) access to a different list of host volumes. Is there a way to not have that coupling? Would you just recommend namespace level PSPs at that point?
|
@pweil- I feel like multiple permutations of PSP's are going to be common. That's already the case with host ports. The reason I want this feature is to restrict pods based on service accounts & namespaces to specific host volume paths. In that scenario i'd have a PSP per SA/namespace. |
Agree. Very similar to roles IMO, just a pain point I've been wary of.
Fair. |
|
@kubernetes/api-reviewers @liggitt @erictune @timstclair |
|
cc @kubernetes/sig-auth-api-reviews |
jhorwit2
force-pushed
the
jah/host-path-psp
branch
from
791bbe2
to
7255703
Compare
|
Rbac has path rules, can we make these consistent with those safely? |
|
On an unrelated note we should have called this ClusterPodSecurityPolicy so we could also have a namespace scoped rule that further confines (so you could have access to a wider scope and then tighten). We should look at discussing what use cases for namespace scope need to be solved in a separate issue |
|
@smarterclayton there was a recent PR to make PSP's have the option to be namespace scoped, but yeah I agree. Like ClusterRole vs Role. |
|
Link? Would be good to update the PSP proposal first if so
|
I would not expect to deny access to specific directories, but just to enable a whitelist mode. I think allowing all subpaths of any whitelisted paths automatically makes sense, but definition need to require them to be subpaths, not just suffixes |
| } | ||
|
|
||
| for _, allowedPath := range allowedPaths { | ||
| if strings.HasPrefix(hostPath, allowedPath) { |
There was a problem hiding this comment.
this logic needs to check for exact matches or prefix matches with a trailing /
jhorwit2
force-pushed
the
jah/host-path-psp
branch
from
43c73df
to
e8ec654
Compare
k8s-github-robot
removed
the
needs-rebase
|
@smarterclayton rebase and tests look good. 👍 |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jhorwit2, smarterclayton
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-github-robot
added
the
approved
|
Automatic merge from submit-queue (batch tested with PRs 46489, 46281, 46463, 46114, 43946) |
liggitt
added
release-note-none
|
removed release note pending revert of the API change in #47851 |
…list Automatic merge from submit-queue (batch tested with PRs 47851, 47824, 47858, 46099) Revert "Merge pull request #43946 from jhorwit2/jah/host-path-psp" fixes #47863 This reverts commit b5eadb5, reversing changes made to 1889d65. **What this PR does / why we need it**: Revert whitelist host paths in psp due to API concerns. Please refer to #47811 for the concerns. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # **Special notes for your reviewer**: cc @liggitt @ericchiang @smarterclayton **Release note**: ```release-note ```
Automatic merge from submit-queue (batch tested with PRs 50719, 51216, 50212, 51408, 51381) Allow PSP's to specify a whitelist of allowed paths for host volume **What this PR does / why we need it**: Reverts the revert for the allowed host path feature that was moved from v1.7 to v1.8. This PR also changes the api as discussed in kubernetes#47811. Original pr: kubernetes#43946 revert: kubernetes#47851 **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes kubernetes#29326 **Special notes for your reviewer**: cc @liggitt @ericchiang @php-coder It seems the api build process has changed. Hopefully I did it right 👼 . **Release note**: ```release-note Allow PSP's to specify a whitelist of allowed paths for host volume ```
What this PR does / why we need it:
This PR adds the ability to whitelist paths for the host volume to ensure pods cannot access directories they aren't supposed to. E.g.
/var/lib/kubelet,/etc/kubernetes/*, etc.Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close that issue when PR gets merged): fixes #29326Special notes for your reviewer:
Release note: