AllowPrivilegeEscalation: add validations #52803
Conversation
k8s-ci-robot
added
size/L
k8s-github-robot
added
the
do-not-merge/release-note-label-needed
|
/assign @lavalamp |
|
/release-note-none |
k8s-ci-robot
added
release-note-none
pkg/api/v1/defaults.go
Outdated
|
|
||
| // handle the case for AllowPrivilegeEscalation when the container is privileged | ||
| if sc.Privileged != nil && *sc.Privileged { | ||
| sc.AllowPrivilegeEscalation = &pt |
There was a problem hiding this comment.
Hmm, I'm not sure it's acceptable for defaulting code to change values that have been set. Maybe it would be better for this to go in validation (i.e. setting AllowPrivilegeEscalataion == false && Privileged == true is an error)
There was a problem hiding this comment.
updated in a differnt commit, can squash before merge, added tests too
| @@ -69,7 +69,8 @@ func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Po | |||
| synthesized.SupplementalGroups = append(synthesized.SupplementalGroups, groups...) | |||
| } | |||
|
|
|||
| synthesized.NoNewPrivs = securitycontext.AddNoNewPrivileges(effectiveSc) | |||
| // Set the NoNewPrivs setting to the opposite of AllowPrivilegeEscalation. | |||
| synthesized.NoNewPrivs = !*effectiveSc.AllowPrivilegeEscalation | |||
There was a problem hiding this comment.
nit: handle the nil case. e.g. for static pods (just default to true?)
jessfraz
force-pushed
the
AllowPrivilegeEscalation
branch
2 times, most recently
from
90d9903
to
0b4086e
Compare
|
@jessfraz are these legit failures? (let me try a retest in case they are flakes) /retest |
jessfraz
force-pushed
the
AllowPrivilegeEscalation
branch
from
0b4086e
to
357eef9
Compare
|
Do you know why update: figured this one out but the other mystery remains with the e2e-node tests |
|
ah fuzzers! /test pull-kubernetes-node-e2e |
pkg/api/validation/validation.go
Outdated
| } | ||
|
|
||
| if sc.AllowPrivilegeEscalation != nil && !*sc.AllowPrivilegeEscalation { | ||
| if *sc.Privileged { |
There was a problem hiding this comment.
@jess, found the trace backs : http://paste.openstack.org/show/621629/
Looks like we need to check for nil here
if sc.Privileged != nil && *sc.Privileged
There was a problem hiding this comment.
omg you are my new favorite person on the planet
|
@jessfraz please see inline comment, found the panic traceback |
jessfraz
force-pushed
the
AllowPrivilegeEscalation
branch
2 times, most recently
from
26506c0
to
2fa9bf5
Compare
pkg/api/v1/defaults.go
Outdated
| @@ -389,3 +389,32 @@ func SetDefaults_HostPathVolumeSource(obj *v1.HostPathVolumeSource) { | |||
| obj.Type = &typeVol | |||
| } | |||
| } | |||
|
|
|||
| func SetDefaults_SecurityContext(sc *v1.SecurityContext) { | |||
| pt := true | |||
There was a problem hiding this comment.
For consistency, it should have name ape (as in the fuzzer).
There was a problem hiding this comment.
can do, I was debating over what naming I liked better, honestly I just wish &true and &false worked
pkg/api/v1/defaults.go
Outdated
| if sc.Capabilities != nil { | ||
| for _, cap := range sc.Capabilities.Add { | ||
| if string(cap) == "CAP_SYS_ADMIN" { | ||
| sc.AllowPrivilegeEscalation = &pt |
pkg/api/v1/defaults.go
Outdated
| } | ||
|
|
||
| // handle the case for AllowPrivilegeEscalation when we are adding CAP_SYS_ADMIN | ||
| if sc.Capabilities != nil { |
There was a problem hiding this comment.
This if can be replaced by else if to prevent inspecting capabilities when we've already set AllowPrivilegeEscalation to true in the previous branch.
pkg/api/v1/defaults.go
Outdated
| } | ||
|
|
||
| // handle the case where the user did not set the defaultAllowPrivilegeEscalation and did not explicitly set allowPrivilegeEscalation | ||
| if sc.AllowPrivilegeEscalation == nil { |
There was a problem hiding this comment.
Comment assumes that defaultAllowPrivilegeEscalation == nil but code doesn't check for that. Is it intentionally?
There was a problem hiding this comment.
yeah I was just trying to relay that the securityContext would be nil if they didn't set a default.
pkg/api/v1/defaults_test.go
Outdated
| "allowPrivilegeEscalation nil security context nil": { | ||
| expect: true, | ||
| }, | ||
| "allowPrivilegeEscalation nil capAddSysadmin": { |
There was a problem hiding this comment.
s/nil capAddSysadmin/and CAP_SYS_ADMIN/
There was a problem hiding this comment.
Ah, I see the logic in the names now... Could you make it more explicit? Otherwise it could be misinterpreted which exactly value is nil in the cases like allowPrivilegeEscalation nil privileged
pkg/api/validation/validation.go
Outdated
| if sc.Capabilities != nil { | ||
| for _, cap := range sc.Capabilities.Add { | ||
| if string(cap) == "CAP_SYS_ADMIN" { | ||
| allErrs = append(allErrs, field.Forbidden(field.NewPath(""), "Cannot set `allowPrivilegeEscalation` to false and `capAdd` CAP_SYS_ADMIN")) |
There was a problem hiding this comment.
There is no field capAdd. Let's use capabilities.add at least.
There was a problem hiding this comment.
Plase, add break here to stop early.
|
/lgtm |
pkg/api/validation/validation.go
Outdated
|
|
||
| if sc.AllowPrivilegeEscalation != nil && !*sc.AllowPrivilegeEscalation { | ||
| if sc.Privileged != nil && *sc.Privileged { | ||
| allErrs = append(allErrs, field.Invalid(fldPath, sc, "Cannot set `allowPrivilegeEscalation` to false and `privileged` to true")) |
There was a problem hiding this comment.
Error string start with lower case?
pkg/api/validation/validation.go
Outdated
| if sc.Capabilities != nil { | ||
| for _, cap := range sc.Capabilities.Add { | ||
| if string(cap) == "CAP_SYS_ADMIN" { | ||
| allErrs = append(allErrs, field.Invalid(fldPath, sc, "Cannot set `allowPrivilegeEscalation` to false and `capabilities.Add` CAP_SYS_ADMIN")) |
|
Small nits, otherwise look good to me. |
|
this is release blocking... can we merge/pick this as-is for 1.8, and follow up with the message tweaks? |
|
I can update the PR real fast no worries |
Signed-off-by: Jess Frazelle <acidburn@microsoft.com>
jessfraz
force-pushed
the
AllowPrivilegeEscalation
branch
from
0c610d5
to
0ad51ed
Compare
k8s-github-robot
removed
the
lgtm
|
/lgtm |
k8s-ci-robot
added
the
lgtm
liggitt
added
the
approved
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dchen1107, dims, jessfraz, liggitt, tallclair Associated issue: 52454 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
|
/test pull-kubernetes-e2e-gce-bazel |
abgworrall
added
cherry-pick-approved
|
Changing |
|
Automatic merge from submit-queue (batch tested with PRs 51067, 52319, 52803, 52961, 51972). If you want to cherry-pick this change to another branch, please follow the instructions here.. |
…n_test Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Move test cases to a proper test method **What this PR does / why we need it**: Prior this change, we had tests in `TestValidatePodSpec()` method that is designated for testing `ValidatePodSpec()`. But because we test code from the `ValidateSecurityContext()` method, the tests should belong to `TestValidateSecurityContext()`. This PR improves the tests. Now the tests become less fragile because `ValidatePodSpec()` do a lot more validations than `ValidateSecurityContext()`. **Which issue(s) this PR fixes**: Related to #52803 where this code and tests were introduced. **Release note**: ```release-note NONE ``` PTAL @jessfraz CC @simo5
Fixes #52454