-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AllowPrivilegeEscalation: add validations #52803
AllowPrivilegeEscalation: add validations #52803
Conversation
/assign @lavalamp |
/release-note-none |
pkg/api/v1/defaults.go
Outdated
|
||
// handle the case for AllowPrivilegeEscalation when the container is privileged | ||
if sc.Privileged != nil && *sc.Privileged { | ||
sc.AllowPrivilegeEscalation = &pt |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, I'm not sure it's acceptable for defaulting code to change values that have been set. Maybe it would be better for this to go in validation (i.e. setting AllowPrivilegeEscalataion == false && Privileged == true
is an error)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can do
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated in a differnt commit, can squash before merge, added tests too
@@ -69,7 +69,8 @@ func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Po | |||
synthesized.SupplementalGroups = append(synthesized.SupplementalGroups, groups...) | |||
} | |||
|
|||
synthesized.NoNewPrivs = securitycontext.AddNoNewPrivileges(effectiveSc) | |||
// Set the NoNewPrivs setting to the opposite of AllowPrivilegeEscalation. | |||
synthesized.NoNewPrivs = !*effectiveSc.AllowPrivilegeEscalation |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: handle the nil case. e.g. for static pods (just default to true?)
90d9903
to
0b4086e
Compare
@jessfraz are these legit failures? (let me try a retest in case they are flakes) /retest |
0b4086e
to
357eef9
Compare
Do you know why update: figured this one out but the other mystery remains with the e2e-node tests |
ah fuzzers! /test pull-kubernetes-node-e2e |
pkg/api/validation/validation.go
Outdated
} | ||
|
||
if sc.AllowPrivilegeEscalation != nil && !*sc.AllowPrivilegeEscalation { | ||
if *sc.Privileged { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jess, found the trace backs : http://paste.openstack.org/show/621629/
Looks like we need to check for nil here
if sc.Privileged != nil && *sc.Privileged
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
omg you are my new favorite person on the planet
@jessfraz please see inline comment, found the panic traceback |
26506c0
to
2fa9bf5
Compare
pkg/api/v1/defaults.go
Outdated
@@ -389,3 +389,32 @@ func SetDefaults_HostPathVolumeSource(obj *v1.HostPathVolumeSource) { | |||
obj.Type = &typeVol | |||
} | |||
} | |||
|
|||
func SetDefaults_SecurityContext(sc *v1.SecurityContext) { | |||
pt := true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For consistency, it should have name ape
(as in the fuzzer).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can do, I was debating over what naming I liked better, honestly I just wish &true
and &false
worked
pkg/api/v1/defaults.go
Outdated
if sc.Capabilities != nil { | ||
for _, cap := range sc.Capabilities.Add { | ||
if string(cap) == "CAP_SYS_ADMIN" { | ||
sc.AllowPrivilegeEscalation = &pt |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
break
is missing here.
pkg/api/v1/defaults.go
Outdated
} | ||
|
||
// handle the case for AllowPrivilegeEscalation when we are adding CAP_SYS_ADMIN | ||
if sc.Capabilities != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This if
can be replaced by else if
to prevent inspecting capabilities when we've already set AllowPrivilegeEscalation
to true
in the previous branch.
pkg/api/v1/defaults.go
Outdated
} | ||
|
||
// handle the case where the user did not set the defaultAllowPrivilegeEscalation and did not explicitly set allowPrivilegeEscalation | ||
if sc.AllowPrivilegeEscalation == nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comment assumes that defaultAllowPrivilegeEscalation == nil
but code doesn't check for that. Is it intentionally?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah I was just trying to relay that the securityContext would be nil if they didn't set a default.
pkg/api/v1/defaults_test.go
Outdated
"allowPrivilegeEscalation nil security context nil": { | ||
expect: true, | ||
}, | ||
"allowPrivilegeEscalation nil capAddSysadmin": { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/nil capAddSysadmin/and CAP_SYS_ADMIN/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, I see the logic in the names now... Could you make it more explicit? Otherwise it could be misinterpreted which exactly value is nil
in the cases like allowPrivilegeEscalation nil privileged
pkg/api/validation/validation.go
Outdated
if sc.Capabilities != nil { | ||
for _, cap := range sc.Capabilities.Add { | ||
if string(cap) == "CAP_SYS_ADMIN" { | ||
allErrs = append(allErrs, field.Forbidden(field.NewPath(""), "Cannot set `allowPrivilegeEscalation` to false and `capAdd` CAP_SYS_ADMIN")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is no field capAdd
. Let's use capabilities.add
at least.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Plase, add break
here to stop early.
/lgtm |
pkg/api/validation/validation.go
Outdated
|
||
if sc.AllowPrivilegeEscalation != nil && !*sc.AllowPrivilegeEscalation { | ||
if sc.Privileged != nil && *sc.Privileged { | ||
allErrs = append(allErrs, field.Invalid(fldPath, sc, "Cannot set `allowPrivilegeEscalation` to false and `privileged` to true")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Error string start with lower case?
pkg/api/validation/validation.go
Outdated
if sc.Capabilities != nil { | ||
for _, cap := range sc.Capabilities.Add { | ||
if string(cap) == "CAP_SYS_ADMIN" { | ||
allErrs = append(allErrs, field.Invalid(fldPath, sc, "Cannot set `allowPrivilegeEscalation` to false and `capabilities.Add` CAP_SYS_ADMIN")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto.
Small nits, otherwise look good to me. |
this is release blocking... can we merge/pick this as-is for 1.8, and follow up with the message tweaks? |
I can update the PR real fast no worries |
Signed-off-by: Jess Frazelle <acidburn@microsoft.com>
0c610d5
to
0ad51ed
Compare
/lgtm |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dchen1107, dims, jessfraz, liggitt, tallclair Associated issue: 52454 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
/test pull-kubernetes-e2e-gce-bazel |
Changing |
Automatic merge from submit-queue (batch tested with PRs 51067, 52319, 52803, 52961, 51972). If you want to cherry-pick this change to another branch, please follow the instructions here.. |
…n_test Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Move test cases to a proper test method **What this PR does / why we need it**: Prior this change, we had tests in `TestValidatePodSpec()` method that is designated for testing `ValidatePodSpec()`. But because we test code from the `ValidateSecurityContext()` method, the tests should belong to `TestValidateSecurityContext()`. This PR improves the tests. Now the tests become less fragile because `ValidatePodSpec()` do a lot more validations than `ValidateSecurityContext()`. **Which issue(s) this PR fixes**: Related to #52803 where this code and tests were introduced. **Release note**: ```release-note NONE ``` PTAL @jessfraz CC @simo5
Fixes #52454