Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Warn / Thread through steps for permissions fixing (pod security policy / fsGroup) #73924

Closed
wants to merge 3 commits into from
Closed

Warn / Thread through steps for permissions fixing (pod security policy / fsGroup) #73924

wants to merge 3 commits into from

Conversation

jayunit100
Copy link
Member

@jayunit100 jayunit100 commented Feb 11, 2019
edited
Loading

Creating a companion issue now. As of now you cant see what the kubelet is actually doing when its mounting w/ perms. So its a minor bug i guess.


Made kubelet mount / fsgroup and PsP setup logging more explicit.

@k8s-ci-robot k8s-ci-robot added do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Feb 11, 2019
@jayunit100
Copy link
Member Author

jayunit100 commented Feb 11, 2019
edited
Loading

addresses #73925 by making the details around how file owners are set explicit in the kubelet. also makes explicit the decision of wether or not setup for file ownership attempt is being made.

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Feb 11, 2019
@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Feb 11, 2019
@jayunit100
Copy link
Member Author

/sig node

@k8s-ci-robot k8s-ci-robot added sig/node Categorizes an issue or PR as relevant to SIG Node. sig/storage Categorizes an issue or PR as relevant to SIG Storage. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Feb 11, 2019
@k8s-ci-robot k8s-ci-robot added the sig/cloud-provider Categorizes an issue or PR as relevant to SIG Cloud Provider. label Feb 12, 2019
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Feb 12, 2019
@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Feb 12, 2019
@jayunit100 jayunit100 mentioned this pull request Feb 12, 2019
Open
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Feb 12, 2019
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 12, 2019
chrislovecnm
chrislovecnm approved these changes Feb 12, 2019
View reviewed changes
Copy link
Contributor

@chrislovecnm chrislovecnm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: chrislovecnm, jayunit100
To fully approve this pull request, please assign additional approvers.
We suggest the following additional approver: gnufied

If they are not already assigned, you can assign the PR to them by writing /assign @gnufied in a comment when ready.

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@chrislovecnm
Copy link
Contributor

/assign gnufied

@jayunit100 jayunit100 mentioned this pull request Feb 12, 2019
Closed
@gnufied
Copy link
Member

gnufied commented Feb 12, 2019

I like this idea of informing the user when we aren't changing permissions, but I am not sure if logging the message is right way to go about it. We already log an event when mount is successful:

  Normal   SuccessfulMountVolume  14s                kubelet, dev-hekumar-cinder2-nrr-1  MountVolume.SetUp succeeded for volume "default-token-456gk"

We could extend this message to include information about permission bits. Another thing is - just modifying CSI plugin isn't a good answer. We should make sure the change affects all volume plugins.

@jayunit100
Copy link
Member Author

@gnufied ... agree that events are useful. Logs are typically sent to storage vendors when there is a problem though, hence they are equally important , albeit for a different use case then the end-user use case....

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 13, 2019
@jayunit100
Copy link
Member Author

jayunit100 commented Feb 13, 2019
edited
Loading

Updated the volume_unsupported call so that theres a warning there as well... that handles aws, azure cinder configmap, csi, downardapi, emptydir diskmgr mounter flocker gce git local portworx secret storageos and vsphere . Would prefer to keep the scope of this PR specifically to logs as that is the key thing for vendor communications, which is really the priority ( for me at least :) ).

Next step... better Events.

That said am happy to plumb this into eventing (events are definetly useful, for example - to developers working on CSI plugins, or apps that havent yet triaged a storage bug)... In any case, if its a hard requirement, preferably lets do the event plumbing in a follow on PR?.

If we have events... do we need logs ?

Absolutely, in my opinion, here's why (let me know if im missing something here - but this ive seen alot of outages, on all cloud platforms, even including GKE and other managed providers, and their not pretty, and typically can have symptoms for 12 or 24 hours before/after the occurrence). The reason IMO that just broadcasting events isn't particularly useful for CSI related issues is that, during outages (we just experienced one) ... they cycle, get cleaned, are stored remotely, arent aleratable via log aggreagators, arent in a timeseries w/ other granular info, and so on), so events - although useful to developers during theoretical testing - are really not super useful for production forensics, or at least, not in the current traditional data center / vendor interaction models.

Example scenarios

  • You have a vendor storage outage, and a large portion of your cluster goes down, including possibly etcd itself.
  • You have mounts that fail periodically over a period of a week, and want to send all kubelet logs for that time frame to a vendor for SLA etc.
  • Note if a storage vendor goes out - you may not even have the etcd event storage available at all (unless events are permanantly put in the kubelet somewhere ? i dont think they are though).

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 13, 2019
chrislovecnm
chrislovecnm approved these changes Feb 13, 2019
View reviewed changes
Copy link
Contributor

@chrislovecnm chrislovecnm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@jayunit100 jayunit100 mentioned this pull request Feb 14, 2019
Closed
ericbannon
ericbannon reviewed Feb 15, 2019
View reviewed changes
Copy link

@ericbannon ericbannon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice!

@k8s-ci-robot
Copy link
Contributor

@jayunit100: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 9, 2019
@jayunit100
Copy link
Member Author

jayunit100 commented May 3, 2019
edited
Loading

What are the next steps for this ? Would like to move this forward but if no interest ill close it. Needs a little rebase also, ill do that based on feedback.

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 1, 2019
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Aug 31, 2019
@fejta-bot
Copy link

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

@k8s-ci-robot
Copy link
Contributor

@fejta-bot: Closed this PR.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gnufied gnufied gnufied left review comments

@jeffvance jeffvance jeffvance left review comments

@ericbannon ericbannon ericbannon left review comments

@chrislovecnm chrislovecnm chrislovecnm approved these changes

Assignees

@gnufied gnufied

@chrislovecnm chrislovecnm

Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/cloud-provider Categorizes an issue or PR as relevant to SIG Cloud Provider. sig/node Categorizes an issue or PR as relevant to SIG Node. sig/storage Categorizes an issue or PR as relevant to SIG Storage. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@jayunit100 @k8s-ci-robot @chrislovecnm @gnufied @fejta-bot @jeffvance @ericbannon