Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security context - types, kubelet, admission #7343

Merged
merged 2 commits into from
May 5, 2015
Merged

Security context - types, kubelet, admission #7343

merged 2 commits into from
May 5, 2015

Conversation

pweil-
Copy link
Contributor

@pweil- pweil- commented Apr 27, 2015

This PR is a subset of the original code in #6287 and covers the following for SecurityContexts:

  1. New sub resource
  2. Kubelet support for setting flags based on SecurityContext Settings
  3. An always admit and always deny admission plugin
  4. Validation that defaults settings in the SecurityContext based on Container settings and vice versa

@erictune, some items I'd like to call out

  1. the SecurityContext is not inlined as recommended in WIP: Security Context #6287 (comment) but I was unsure about the example for ResourceList that you mentioned. If this implementation is incorrect I could use some guidance on where to look for the ResourceList defaulting
  2. I interpreted the "in the kubelet allow..." statements (WIP: Security Context #6287 (comment)) as the kubelet always allows a SecurityContext if it makes it to the kubelet in a pod config. Since I have not run a pod straight from a manifest I will confirm this on Monday in case I'm incorrect.
  3. I went ahead and used a provider as designed in https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/design/security_context.md#security-context-provider but it doesn't contain all the SecurityConstraint items as previously submitted. If you'd still like to stay away from a formal provider and just have the logic in the kubelet I can move it.

I need to do some more testing on the functionality to make sure I carried it all over correctly but I wanted to get this under review while I did.

@erictune @smarterclayton @pmorie @liggitt @derekwaynecarr PTAL

History: #6287

@googlebot
Copy link

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project, in which case you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed, please reply here (e.g. I signed it!) and we'll verify. Thanks.

  • If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
  • If you signed the CLA as a corporation, please let us know the company's name.

@pweil- pweil- mentioned this pull request Apr 27, 2015
Closed
@pweil- pweil- force-pushed the security-context-types branch 3 times, most recently from 4784de1 to 63b8e2b Compare April 27, 2015 14:06
@erictune
Copy link
Member

Suggest:

  • internal representation should only have container.securityContext.privileged, not container.privileged, and so on.
  • v1beta3, etc, have both
  • conversion from v1beta3 to internal fails on mismatch.
  • conversion from internal to v1beta3 fills in both.
  • conversion and check happen in pkg/api/v1beta*/conversion.go
  • in a future version > v1beta3, we drop the container.privileged field.

@bgrant0607 check above statements if you have time.

@pweil-
Copy link
Contributor Author

pweil- commented Apr 27, 2015

10-4 - on it

@bgrant0607
Copy link
Member

@erictune's proposal is correct. See container resources for an example where we used this approach.

@erictune erictune mentioned this pull request Apr 28, 2015
Closed
@erictune
Copy link
Member

Conversion happens before admission control, and conversion sets corresponding values in SecurityContext if pod.privileged or pod.capabilities is set. SecurityContextDeny disallows pods with any values set in SecurityContext. So, are all pods with pod.privileged or pod.capabilities denied? I think that is okay, but just wanted to clarify my understanding.

erictune
erictune reviewed Apr 28, 2015
View reviewed changes
pkg/api/types.go
// both the Container AND the SecurityContext will result in an error.
type SecurityContext struct {
// Capabilities are the capabilities to add/drop when running the container
// DUPLICATE OF CONTAINER FIELD
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

replace DUPLICATE OF CONTAINER FIELD with Must match Container.Privileged or be unset.

@erictune
Copy link
Member

Almost there...

@pweil-
Copy link
Contributor Author

pweil- commented Apr 29, 2015

whew - git reflog saved me.

@erictune the suggestion to move the check to the conversion really cleaned this up. The defaulting happens in the default.go of each v1beta* now. If an SC is already set then it won't be changed. The conversion errors if the container fields don't match the SC fields that exist. Otherwise a normal conversion occurs. Validation is left to do normal validation-y checks.

Descriptions have been added to all fields in the feedback commit.

@yifan-gu, @jonboulle - I removed the direct references to the docker options in the comments for everything except disabled. Perhaps disabled doesn't even need to be there, if you aren't specifying labels then maybe we just take no action. If you have thoughts on how to express this better please let me know.

Thanks for the feedback so far.

@pweil-
Copy link
Contributor Author

pweil- commented Apr 29, 2015

Conversion happens before admission control, and conversion sets corresponding values in SecurityContext if pod.privileged or pod.capabilities is set. SecurityContextDeny disallows pods with any values set in SecurityContext. So, are all pods with pod.privileged or pod.capabilities denied? I think that is okay, but just wanted to clarify my understanding.

As it stand right now, yes, it would. It creates a conflict I didn't think of, the internal api is now completely based on SecurityContext but anything with SecurityContext is denied. I'll fix that first thing tomorrow. I'll allow a SecurityContext if it only has Privileged and Caps set. Good catch.

@thockin thockin mentioned this pull request May 5, 2015
Open
@pmorie
Copy link
Member

pmorie commented May 5, 2015

This LGTM but needs to be squashed. Until #7779 goes in, we'll have to do the swagger changes as a separate PR.

@pweil- pweil- force-pushed the security-context-types branch 2 times, most recently from 5527d3c to 8c4c4f6 Compare May 5, 2015 17:23
@pmorie
Copy link
Member

pmorie commented May 5, 2015

Okay, even with #7779 merged, there is still an upstream go-restful bug that makes the validation tests break after the swagger spec is regenerated. We need that fixed before we can regen the swagger spec after this.

@pmorie
Copy link
Member

pmorie commented May 5, 2015

Actually, I think I was wrong. I ran the script locally and it produced the correct output.

@pmorie
Copy link
Member

pmorie commented May 5, 2015

LGTM. I will merge on green.

pmorie
pmorie reviewed May 5, 2015
View reviewed changes
api/swagger-spec/v1beta1.json
@@ -7623,7 +7627,8 @@
"description": "restart policy for all containers within the pod; one of RestartPolicyAlways, RestartPolicyOnFailure, RestartPolicyNever"
},
"terminationGracePeriodSeconds": {
"$ref": "int64",
"type": "integer",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bgrant0607 I'm not sure why this wasn't changed in #7779, but it looks like the pointers are being handled correctly now.

@pmorie pmorie added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 5, 2015
pmorie added a commit that referenced this pull request May 5, 2015
@pmorie
Merge pull request #7343 from pweil-/security-context-types
1625e23 
Security context - types, kubelet, admission
@pmorie pmorie merged commit 1625e23 into kubernetes:master May 5, 2015
@pmorie
Copy link
Member

pmorie commented May 5, 2015

Merged

@pweil- pweil- mentioned this pull request May 5, 2015
Merged
This was referenced May 5, 2015
Merged
Merged
@zmerlynn
Copy link
Member

zmerlynn commented May 5, 2015

This was reverted, and was the cause of #7805. See there for more context.

@smarterclayton smarterclayton mentioned this pull request May 5, 2015
Closed
@zmerlynn zmerlynn mentioned this pull request May 5, 2015
Merged
@pmorie
Copy link
Member

pmorie commented May 6, 2015

For the record, the revert was itself reverted.

@smarterclayton
Copy link
Contributor

It was verted.

On May 5, 2015, at 8:12 PM, Paul Morie notifications@github.com wrote:

For the record, the revert was itself reverted.


Reply to this email directly or view it on GitHub.

@mbforbes mbforbes mentioned this pull request May 6, 2015
Merged
@pmorie pmorie mentioned this pull request May 7, 2015
Closed
@pweil- pweil- mentioned this pull request May 10, 2015
Merged
@caesarxuchao caesarxuchao mentioned this pull request Jun 2, 2015
Merged
@mtardy mtardy mentioned this pull request Jul 28, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@pmorie pmorie

Labels
lgtm "Looks good to me", indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
10 participants
@pweil- @googlebot @erictune @bgrant0607 @pmorie @smarterclayton @derekwaynecarr @zmerlynn @jonboulle @yifan-gu