fix windows container root validate #92355
Conversation
k8s-ci-robot
added
release-note
k8s-ci-robot
added
area/kubelet
sig/node
| // https://github.com/kubernetes/enhancements/blob/master/keps/sig-windows/20190103-windows-node-support.md#v1container | ||
| // Windows does not have a root user, we cannot judge the root identity of the windows container by the way to judge the root of the linux container | ||
| // SecurityContext.RunAsUser, and SecurityContext.RunAsNonRoot These are Linux-specific attributes and cannot be used on windows containers | ||
| // Therefore, the judgment logic here does not apply to windows container |
There was a problem hiding this comment.
would it be helpful to report an error back that configuration may be incorrect? Not necessarily by failing this verification, but maybe with the log message?
There was a problem hiding this comment.
Both windows container and linux will cover this piece of code, but it only makes sense to execute on linux. Therefore, I feel that there is no need to output some confusing logs on windows
There was a problem hiding this comment.
why do you think it will be confusing? If these settings were set by user, it may be important to know that settings were ignored. Or the assumption here that those log messages will never be seen by the person who set these configuration settings?
There was a problem hiding this comment.
The processing logic of verifyRunAsNonRoot is not suitable for windows containers. Many of the judgment fields are based on Linux containers, such as SecurityContext.RunAsUser, image.uid, SecurityContext.RunAsNonRoot. So I have circumvented this logic~ Maybe Windows container should be judged separately and used for user input check. Is this better? Do you think?
There was a problem hiding this comment.
I think it would be cleaner to split it out and judge differently. Could use file suffix for the implementation as is done for applyPlatformSpecificContainerConfig in the windows and linux files. For windows this can be a noop and if later there are privileged containers we would be able to add logic cleanly.
| // Windows does not have a root user, we cannot judge the root identity of the windows container by the way to judge the root of the linux container | ||
| // SecurityContext.RunAsUser, and SecurityContext.RunAsNonRoot These are Linux-specific attributes and cannot be used on windows containers | ||
| // Therefore, the judgment logic here does not apply to windows container | ||
| if goruntime.GOOS != "windows" { |
There was a problem hiding this comment.
would it be possible to add a test?
|
/sig windows |
k8s-ci-robot
added
the
sig/windows
k8s-ci-robot
added
size/L
wawa0210
force-pushed
the
fix-91482
branch
2 times, most recently
from
d5574c8
to
5acdd3c
Compare
| // +build !windows | ||
|
|
||
| /* | ||
| Copyright 2016 The Kubernetes Authors. |
There was a problem hiding this comment.
nit
| Copyright 2016 The Kubernetes Authors. | |
| Copyright 2020 The Kubernetes Authors. |
| // +build windows | ||
|
|
||
| /* | ||
| Copyright 2016 The Kubernetes Authors. |
There was a problem hiding this comment.
| Copyright 2016 The Kubernetes Authors. | |
| Copyright 2020 The Kubernetes Authors. |
| @@ -0,0 +1,51 @@ | |||
| // +build !windows | |||
There was a problem hiding this comment.
same in security_context_test.go?
There was a problem hiding this comment.
I didn't get what you meant.
There was a problem hiding this comment.
the file security_context_test.go calls into the method you modified. If you compile different version on windows - running these tests on windows would fail. So I suggest to add the same build !windows to the file containing tests
There was a problem hiding this comment.
Also worth renaming the test file with the same pattern as the product code. With _other or _non_windows suffix.
| @@ -0,0 +1,51 @@ | |||
| // +build !windows | |||
|
|
|||
| /* | |||
There was a problem hiding this comment.
the pattern in file naming is security_context_windows.go and security_context.go In couple places I saw _unix or _linux suffices. I'd vote for consistency and drop _other
There was a problem hiding this comment.
Here I have a very uncertain thing is that other platforms besides Linux and Windows support this feature, so I chose to use others~~
There are many examples of this in kubernetes,such as
https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/apis/config/validation/validation_others.go
There was a problem hiding this comment.
thank you for pointing out. Somehow all examples I saw was not using this pattern. I guess it's ok. If not previous examples my suggestion would be security_context_non_windows.go. It may be the most descriptive name
There was a problem hiding this comment.
About this, I went to look at some of the existing designs of kubernetes.
- If the platform support is very clear, it is generally
*_linux.go,*_windows.go,*_unspport.go. - If it is possible to distinguish between windows and others, it is generally
*_others.go,*_windows.go.
I think it’s better to follow the existing naming rules, otherwise it will confuse people , what do you think?
There was a problem hiding this comment.
sure, lets keep it. It looks consistent with the pattern. Thank you for looking into it
wawa0210
force-pushed
the
fix-91482
branch
2 times, most recently
from
425a0b9
to
e15325e
Compare
|
/retest |
k8s-ci-robot
added
the
lgtm
|
/test pull-kubernetes-e2e-kind-ipv6 |
|
this will be moved back into the milestone as part of the phased reopen for 1.20 merges |
|
SIG Windows Backlog Meeting Next Step: Need 1.20 Tag and merging. @marosset to work on that |
|
@jsturtevant @michmike @SergeyKanzhelev |
|
/lgtm |
| klog.Warningf("Windows container does not support SecurityContext.RunAsUser, please use SecurityContext.WindowsOptions") | ||
| } | ||
| if effectiveSc.SELinuxOptions != nil { | ||
| klog.Warningf("Windows container does not support SecurityContext.SELinuxOptions, please use SecurityContext.WindowsOptions") |
There was a problem hiding this comment.
This is a big deal, right? Someone thinks they are running with security options that we aren't applying. Should this fail more loudly?
If i'm interpreting this correctly, I would suggest emiting an event, or even returning an error here. Same comment for other unsupported options.
There was a problem hiding this comment.
I think the argumentation here is that these settings were likely set by some plugin. See #93475 (comment)
This is why warning was good enough from my perspective, but I'd like somebody from windows sig to confirm
There was a problem hiding this comment.
Maybe we should add a check to
kubernetes/pkg/apis/core/validation/validation.go
Line 3769 in 3606591
From my perspective we should encourage plugin/automation authors to use node selectors if they are going to blanket apply security policy to pods rather than working around that assumption in the kubelet.
@jsturtevant thoughts?
There was a problem hiding this comment.
Because these do not cause cri errors, it is just that the features of linux container on windows container cannot take effect, and vice versa. If kubelet fails more loudly, it will affect existing applications (adding wrong WindowsOptions or LinuxOptions). So I think the warning level log may be a way to make sense (may need to be more detailed)
There was a problem hiding this comment.
I think this is a very good idea. When apiserver pre-verification, if the user explicitly sets SecurityContext.SELinuxOptions or SecurityContext.WindowsOptions for verification, if the discussion passes, I can try to open another A pr.
But kubelet is really responsible for calling cri to create pod logic. Should it also have its own necessary verification logic?
There was a problem hiding this comment.
Maybe we should add a check to
that verifies only one of SecurityContext.SELinuxOptions or SecurityContext.WindowsOptions are set.kubernetes/pkg/apis/core/validation/validation.go
Line 3769 in 3606591
Tightening API validation is not generally possible (see #64841). If that combination of settings is never legitimate (is a multi-OS image possible?), we could add that to the list of things we want to warn about (#94626)
There was a problem hiding this comment.
Thanks @liggitt, that addresses my concern.
There was a problem hiding this comment.
This also addresses my concerns as well and I agree a warming would be more appropriate here.
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dashpole, wawa0210 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/lgtm |
|
/milestone v1.20 |
What type of PR is this?
/kind bug
/kind feature
What this PR does / why we need it:
From https://github.com/kubernetes/enhancements/blob/master/keps/sig-windows/20190103-windows-node-support.md#v1container
Windows container does not have a root user,but kubelet will still check the user of the windows container when creating the pod.
The current inspection conditions are based on the
RunAsNonRootandRunAsUserof the Linux container, and the results checked based on these conditions are incorrectWhich issue(s) this PR fixes:
Fixes #91482 #91414
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
/sig windows
/assign @dchen1107