Add "MayRunAs" value among other GroupStrategies

[stlaz]

What this PR does / why we need it:
Adds "MayRunAs" value among other group strategies. This strategy
allows to define a certain range of GIDs for FSGroupStrategy and
SupplementalGroupStrategy in a PSP.

This new strategy works similarly to the "MustRunAs" one, except that
when no GID is specified in a pod/container security context then no
GID is generated for the respective containers.

Which issue(s) this PR fixes
Resolves #56173

Release note:

PodSecurityPolicy objects now support a `MayRunAs` rule for `fsGroup` and `supplementalGroups` options. This allows specifying ranges of allowed GIDs for pods/containers without forcing a default GID the way `MustRunAs` does. This means that a container to which such a policy applies to won't use any fsGroup/supplementalGroup GID if not explicitly specified, yet a specified GID must still fall in the GID range according to the policy.

[php-coder]

/sig auth
/ok-to-test

PTAL @kubernetes/sig-auth-api-reviews

CC @simo5

[php-coder]

Please, update the comment.

[php-coder]

s/MustRunAs/MayRunAs/

[php-coder]

s/to run as a particular gid/to run with particular gids/ ?

[stlaz]

It was but a mere copy-paste but "with" sounds definitely better

[php-coder]

s/when it is applied, it has to/when they are specified, they have to/ ?

[php-coder]

@stlaz One more place to update:

kubernetes/pkg/apis/policy/fuzzer/fuzzer.go

Lines 49 to 58 in 3abba25

	supplementalGroupsRules := []policy.SupplementalGroupsStrategyType{
	policy.SupplementalGroupsStrategyRunAsAny,
	policy.SupplementalGroupsStrategyMustRunAs,
	}
	psp.SupplementalGroups.Rule = supplementalGroupsRules[c.Rand.Intn(len(supplementalGroupsRules))]
	fsGroupRules := []policy.FSGroupStrategyType{
	policy.FSGroupStrategyMustRunAs,
	policy.FSGroupStrategyRunAsAny,
	}

[php-coder]

@kubernetes/sig-auth-api-reviews Do we need to update PSP in extensions API group?

[php-coder]

/assign @tallclair

[stlaz]

Updated the patch to fix verify-basel failure and to address the PR comments.

[stlaz]

This change introduces backward incompatibility since the "MayRunAs" value to the groups is unknown to previous API versions. If we convert this to "MustRunAs" internally, we wouldn't be able to later get the information that it's actually "MayRunAs".
What would be the preferred way to handle such an issue? Is the rollback desirable here? Does @tallclair have an input on this?

[krmayankk]

@tallclair @php-coder i believe the MayRunAs would also be needed by RunAsGroup field. I will include that in the PSP changes for RunAsGroup in my next PR.

[php-coder]

PTAL @tallclair

[tallclair]

This change introduces backward incompatibility since the "MayRunAs" value to the groups is unknown to previous API versions.

Backwards incompatibility means that a resource that was valid in a previous version is no longer valid (or behaves differently), which isn't the case here. What you're refering to is forwards compatibility, and that's not something Kubernetes provides, so this is a non-issue.

[tallclair]

dedupe this code with mustRunAs.Validate (extract a shared helper)

[tallclair]

This method is constant, don't bother testing it here. Instead, add a couple cases under https://github.com/kubernetes/kubernetes/blob/master/pkg/security/podsecuritypolicy/provider_test.go to ensure that the nil return works as expected.

[tallclair]

Ping.

[stlaz]

/retest

[stlaz]

The "fall in all groups" issue should now be resolved, a positive multi-ranges test was added on top of the mayrunas tests.

[liggitt]

thanks. both tallclair and I are out of the office at the moment, but will pick this up when master reopens for 1.13.

[stlaz]

Thank you. I'm not sure exactly why the verify test does not pass since make verify seems to be running fine on my system. The only guess I have was my upgrade of golang from 1.10 to 1.11 🤔

[stlaz]

/retest

[stlaz]

@tallclair Test cases for multiple groups added.

[tallclair]

A couple nits, but LGTM. Please squash.

[tallclair]

nit: inline

[tallclair]

nit: 2018

[stlaz]

Comments addressed + squashed.

[tallclair]

/lgtm
/hold cancel

[liggitt]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, stlaz, tallclair

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• pkg/apis/policy/OWNERS [liggitt]
• pkg/security/podsecuritypolicy/OWNERS [liggitt,tallclair]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[yue9944882]

hi folks, why not syncing these new internal definitions to the external repo? i'm afraid currently we can't specify the new strategy w/ client-go. also the "MayRunAs" will be an undefined value when deserialized into external types.

ref: #69704