New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

change deprecated Kubelet --allow-privileged flag default to true #63442

Merged
merged 1 commit into from May 10, 2018

Conversation

@mtaufen
Contributor

mtaufen commented May 4, 2018

This enables a smooth transition to PSP. Today, users would have to
manually set --allow-privileged to true before transitioning to PSP,
which isn't a smooth deprecation path for the flag (we want people
to stop setting it). This PR makes the default behavior isomorphic
with what will happen after the flag is removed.

Defaulting --allow-privileged to true should be safe, because it simply
allows a superset of Pods to run (all workloads continue to work).

WRT #58010 (comment)
the --allow-privileged flag is effectively useless for security, so this
shouldn't be a concern from that perspective.

I also bumped the deprecation timeline in the comment to 1.13.0, so that
we give people the full period of time to stop setting
--allow-privileged, now that the behavior makes it possible to do so.

The Kubelet's deprecated --allow-privileged flag now defaults to true. This enables users to stop setting --allow-privileged in order to transition to PodSecurityPolicy. Previously, users had to continue setting --allow-privileged, because the default was false.
change deprecated Kubelet --allow-privileged flag default to true
This enables a smooth transition to PSP. Today, users would have to
manually set --allow-privileged to true before transitioning to PSP,
which isn't a smooth deprecation path for the flag (we want people
to *stop* setting it). This PR makes the default behavior isomorphic
with what will happen after the flag is removed.

Defaulting --allow-privileged to true should be safe, because it simply
allows a superset of Pods to run (all workloads continue to work).

WRT #58010 (comment)
the --allow-privileged flag is effectively useless for security, so this
shouldn't be a concern from that perspective.

I also bumped the deprecation timeline in the comment to 1.13.0, so that
we give people the full period of time to stop setting
--allow-privileged, now that the behavior makes it possible to do so.
@mtaufen

This comment has been minimized.

Contributor

mtaufen commented May 4, 2018

@krmayankk

This comment has been minimized.

Contributor

krmayankk commented May 7, 2018

@mtaufen in 1.7 i can create privileged containers without my kubelet having this flag, am i missing something ?

@tallclair

This comment has been minimized.

Member

tallclair commented May 8, 2018

/lgtm

@mtaufen

This comment has been minimized.

Contributor

mtaufen commented May 9, 2018

/retest

@Random-Liu

This comment has been minimized.

Member

Random-Liu commented May 9, 2018

/approve

@k8s-ci-robot

This comment has been minimized.

Contributor

k8s-ci-robot commented May 9, 2018

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mtaufen, Random-Liu, tallclair

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@fejta-bot

This comment has been minimized.

fejta-bot commented May 10, 2018

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel comment for consistent failures.

@k8s-merge-robot

This comment has been minimized.

Contributor

k8s-merge-robot commented May 10, 2018

/test all [submit-queue is verifying that this PR is safe to merge]

@k8s-merge-robot

This comment has been minimized.

Contributor

k8s-merge-robot commented May 10, 2018

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here.

@k8s-merge-robot k8s-merge-robot merged commit 9d6ea5b into kubernetes:master May 10, 2018

15 of 16 checks passed

Submit Queue Required Github CI test is not green: pull-kubernetes-e2e-gce
Details
cla/linuxfoundation mtaufen authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-cross Skipped
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-gke Skipped
pull-kubernetes-e2e-kops-aws Job succeeded.
Details
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce Job succeeded.
Details
pull-kubernetes-local-e2e Skipped
pull-kubernetes-local-e2e-containerized Job succeeded.
Details
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details

k8s-merge-robot added a commit that referenced this pull request Jun 20, 2018

Merge pull request #64104 from CalvinHartwell/kubelet-allow-privilege…
…d-true

Automatic merge from submit-queue (batch tested with PRs 65032, 63471, 64104, 64672, 64427). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

changed the default value for allow-privileged for the kubelet (kuber…

**What this PR does / why we need it**:

This PR modifies the default value for the kubernetes-worker: it sets the allow-privileged kubelet value to true, based on this issue:[juju-solutions/bundle-canonical-kubernetes#579. 

The original PR was here: [#63442 which included this change for the k8s 1.10 release. This PR incorporates this fix into the Canonical distribution of Kubernetes. 

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #

This change fixes two issues: 

[juju-solutions/bundle-canonical-kubernetes#579
[rancher/rancher#13612

**Special notes for your reviewer**:

Waiting review from Canonical Kubernetes charm tea. 

**Release note**:

```release-note
The new default value for the --allow-privileged parameter of the Kubernetes-worker charm has been set to true based on changes which went into the Kubernetes 1.10 release. Before this change the default value was set to false. If you're installing Canonical Kubernetes you should expect this value to now be true by default and you should now look to use PSP (pod security policies). 
```

mikkeloscar added a commit to zalando-incubator/kubernetes-on-aws that referenced this pull request Aug 27, 2018

Remove deprecated --allow-privileged kubelet flag
Remove the `--allow-privileged` flag from the kubelet since it now
defaults to `true` and has been marked deprecated and will be removed in
v1.13.

kubernetes/kubernetes#63442

Signed-off-by: Mikkel Oscar Lyderik Larsen <mikkel.larsen@zalando.de>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment