-
Notifications
You must be signed in to change notification settings - Fork 39k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix windows container root validate #92355
Conversation
// https://github.com/kubernetes/enhancements/blob/master/keps/sig-windows/20190103-windows-node-support.md#v1container | ||
// Windows does not have a root user, we cannot judge the root identity of the windows container by the way to judge the root of the linux container | ||
// SecurityContext.RunAsUser, and SecurityContext.RunAsNonRoot These are Linux-specific attributes and cannot be used on windows containers | ||
// Therefore, the judgment logic here does not apply to windows container |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
would it be helpful to report an error back that configuration may be incorrect? Not necessarily by failing this verification, but maybe with the log message?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Both windows container and linux will cover this piece of code, but it only makes sense to execute on linux. Therefore, I feel that there is no need to output some confusing logs on windows
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why do you think it will be confusing? If these settings were set by user, it may be important to know that settings were ignored. Or the assumption here that those log messages will never be seen by the person who set these configuration settings?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The processing logic of verifyRunAsNonRoot
is not suitable for windows containers. Many of the judgment fields are based on Linux containers, such as SecurityContext.RunAsUser
, image.uid
, SecurityContext.RunAsNonRoot
. So I have circumvented this logic~ Maybe Windows container should be judged separately and used for user input check. Is this better? Do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it would be cleaner to split it out and judge differently. Could use file suffix for the implementation as is done for applyPlatformSpecificContainerConfig in the windows and linux files. For windows this can be a noop and if later there are privileged containers we would be able to add logic cleanly.
// Windows does not have a root user, we cannot judge the root identity of the windows container by the way to judge the root of the linux container | ||
// SecurityContext.RunAsUser, and SecurityContext.RunAsNonRoot These are Linux-specific attributes and cannot be used on windows containers | ||
// Therefore, the judgment logic here does not apply to windows container | ||
if goruntime.GOOS != "windows" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
would it be possible to add a test?
/sig windows |
d5574c8
to
5acdd3c
Compare
// +build !windows | ||
|
||
/* | ||
Copyright 2016 The Kubernetes Authors. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit
Copyright 2016 The Kubernetes Authors. | |
Copyright 2020 The Kubernetes Authors. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done .
// +build windows | ||
|
||
/* | ||
Copyright 2016 The Kubernetes Authors. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Copyright 2016 The Kubernetes Authors. | |
Copyright 2020 The Kubernetes Authors. |
@@ -0,0 +1,51 @@ | |||
// +build !windows |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same in security_context_test.go
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't get what you meant.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the file security_context_test.go calls into the method you modified. If you compile different version on windows - running these tests on windows would fail. So I suggest to add the same build !windows
to the file containing tests
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also worth renaming the test file with the same pattern as the product code. With _other
or _non_windows
suffix.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
changed.
@@ -0,0 +1,51 @@ | |||
// +build !windows | |||
|
|||
/* |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the pattern in file naming is security_context_windows.go
and security_context.go
In couple places I saw _unix
or _linux
suffices. I'd vote for consistency and drop _other
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here I have a very uncertain thing is that other platforms besides Linux and Windows support this feature, so I chose to use others~~
There are many examples of this in kubernetes,such as
https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/apis/config/validation/validation_others.go
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thank you for pointing out. Somehow all examples I saw was not using this pattern. I guess it's ok. If not previous examples my suggestion would be security_context_non_windows.go
. It may be the most descriptive name
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
About this, I went to look at some of the existing designs of kubernetes.
- If the platform support is very clear, it is generally
*_linux.go
,*_windows.go
,*_unspport.go
. - If it is possible to distinguish between windows and others, it is generally
*_others.go
,*_windows.go
.
I think it’s better to follow the existing naming rules, otherwise it will confuse people , what do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sure, lets keep it. It looks consistent with the pattern. Thank you for looking into it
425a0b9
to
e15325e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I still think it may be valuable to log warning if unsupported setting was set for windows. But this is an additional feature to log this warning and PR is ok.
/retest |
/test pull-kubernetes-e2e-kind-ipv6 |
this will be moved back into the milestone as part of the phased reopen for 1.20 merges |
SIG Windows Backlog Meeting Next Step: Need 1.20 Tag and merging. @marosset to work on that |
@jsturtevant @michmike @SergeyKanzhelev |
/lgtm |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should setting WindowsOptions on linux containers also fail more loudly?
klog.Warningf("Windows container does not support SecurityContext.RunAsUser, please use SecurityContext.WindowsOptions") | ||
} | ||
if effectiveSc.SELinuxOptions != nil { | ||
klog.Warningf("Windows container does not support SecurityContext.SELinuxOptions, please use SecurityContext.WindowsOptions") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a big deal, right? Someone thinks they are running with security options that we aren't applying. Should this fail more loudly?
If i'm interpreting this correctly, I would suggest emiting an event, or even returning an error here. Same comment for other unsupported options.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the argumentation here is that these settings were likely set by some plugin. See #93475 (comment)
This is why warning was good enough from my perspective, but I'd like somebody from windows sig to confirm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we should add a check to
kubernetes/pkg/apis/core/validation/validation.go
Line 3769 in 3606591
func ValidatePodSecurityContext(securityContext *core.PodSecurityContext, spec *core.PodSpec, specPath, fldPath *field.Path) field.ErrorList { |
From my perspective we should encourage plugin/automation authors to use node selectors if they are going to blanket apply security policy to pods rather than working around that assumption in the kubelet.
@jsturtevant thoughts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because these do not cause cri errors, it is just that the features of linux container on windows container cannot take effect, and vice versa. If kubelet fails more loudly, it will affect existing applications (adding wrong WindowsOptions or LinuxOptions). So I think the warning level log may be a way to make sense (may need to be more detailed)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is a very good idea. When apiserver pre-verification, if the user explicitly sets SecurityContext.SELinuxOptions
or SecurityContext.WindowsOptions
for verification, if the discussion passes, I can try to open another A pr.
But kubelet is really responsible for calling cri to create pod logic. Should it also have its own necessary verification logic?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we should add a check to
that verifies only one of SecurityContext.SELinuxOptions or SecurityContext.WindowsOptions are set.kubernetes/pkg/apis/core/validation/validation.go
Line 3769 in 3606591
func ValidatePodSecurityContext(securityContext *core.PodSecurityContext, spec *core.PodSpec, specPath, fldPath *field.Path) field.ErrorList {
Tightening API validation is not generally possible (see #64841). If that combination of settings is never legitimate (is a multi-OS image possible?), we could add that to the list of things we want to warn about (#94626)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @liggitt, that addresses my concern.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This also addresses my concerns as well and I agree a warming would be more appropriate here.
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dashpole, wawa0210 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/lgtm |
/milestone v1.20 |
What type of PR is this?
/kind bug
/kind feature
What this PR does / why we need it:
From https://github.com/kubernetes/enhancements/blob/master/keps/sig-windows/20190103-windows-node-support.md#v1container
Windows container does not have a root user,but kubelet will still check the user of the windows container when creating the pod.
The current inspection conditions are based on the
RunAsNonRoot
andRunAsUser
of the Linux container, and the results checked based on these conditions are incorrectWhich issue(s) this PR fixes:
Fixes #91482 #91414
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
/sig windows
/assign @dchen1107