Implement PodSecurityPolicy enforcement for seccomp GA

[saschagrunert]

What type of PR is this?

/kind feature

What this PR does / why we need it:

This implements the necessary pieced for the PodSecurityPolicy
enforcement like described in the appropriate KEP section:

https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/20190717-seccomp-ga.md#podsecuritypolicy-enforcement

Which issue(s) this PR fixes:

Refers to #91286

Special notes for your reviewer:

Based on #91408

Does this PR introduce a user-facing change?:

NONE

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

- KEP: https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/20190717-seccomp-ga.md

[saschagrunert]

/test pull-kubernetes-verify

[saschagrunert]

/assign @liggitt

kindly asking for review.

[saschagrunert]

/test pull-kubernetes-bazel-test

[liggitt]

Can we base this on #91408, and expose and use seccompAnnotationForField? I think that would let us do something much more minimal like this:

diff --git a/pkg/security/podsecuritypolicy/seccomp/strategy.go b/pkg/security/podsecuritypolicy/seccomp/strategy.go
index 0c8d3faf9e5..83d024dce74 100644
--- a/pkg/security/podsecuritypolicy/seccomp/strategy.go
+++ b/pkg/security/podsecuritypolicy/seccomp/strategy.go
@@ -83,6 +83,10 @@ func (s *strategy) Generate(annotations map[string]string, pod *api.Pod) (string
 		// Profile already set, nothing to do.
 		return annotations[api.SeccompPodAnnotationKey], nil
 	}
+	if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.SeccompProfile != nil {
+		// Profile field already set, translate to annotation
+		return SeccompAnnotationForField(pod.Spec.SecurityContext.SeccompProfile), nil
+	}
 	return s.defaultProfile, nil
 }
 
@@ -92,6 +96,10 @@ func (s *strategy) ValidatePod(pod *api.Pod) field.ErrorList {
 	allErrs := field.ErrorList{}
 	podSpecFieldPath := field.NewPath("pod", "metadata", "annotations").Key(api.SeccompPodAnnotationKey)
 	podProfile := pod.Annotations[api.SeccompPodAnnotationKey]
+	// if the annotation is not set, see if the field is set and derive the corresponding annotation value
+	if len(podProfile) == 0 && pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.SeccompProfile != nil {
+		podProfile = SeccompAnnotationForField(pod.Spec.SecurityContext.SeccompProfile)
+	}
 
 	if !s.allowAnyProfile && len(s.allowedProfiles) == 0 && podProfile != "" {
 		allErrs = append(allErrs, field.Forbidden(podSpecFieldPath, "seccomp may not be set"))
@@ -141,9 +149,19 @@ func (s *strategy) profileAllowed(profile string) bool {
 
 // profileForContainer returns the container profile if set, otherwise the pod profile.
 func profileForContainer(pod *api.Pod, container *api.Container) string {
+	if container.SecurityContext != nil && container.SecurityContext.SeccompProfile != nil {
+		// derive the annotation value from the container field
+		return SeccompAnnotationForField(container.SecurityContext.SeccompProfile)
+	}
 	containerProfile, ok := pod.Annotations[api.SeccompContainerAnnotationKeyPrefix+container.Name]
 	if ok {
+		// return the existing container annotation
 		return containerProfile
 	}
+	if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.SeccompProfile != nil {
+		// derive the annotation value from the pod field
+		return SeccompAnnotationForField(pod.Spec.SecurityContext.SeccompProfile)
+	}
+	// return the existing pod annotation
 	return pod.Annotations[api.SeccompPodAnnotationKey]
 }

[liggitt]

/hold cancel

[saschagrunert]

Thanks. Did hack/verify-import-boss.sh pass locally?

Unfortunately it does not, we have to find another location for the utility methods:

errors in package "k8s.io/kubernetes/test/e2e/framework/providers/kubemark":
the following imports did not match any allowed prefix:
  k8s.io/kubernetes/pkg/api/pod


!!! Error in ./hack/verify-import-boss.sh:46
  Error in ./hack/verify-import-boss.sh:46. '$(kube::util::find-binary "import-boss") --include-test-files=true --verify-only --input-dirs "$(IFS=, ; echo "${packages[*]}")"' exited with status 1
Call stack:
  1: ./hack/verify-import-boss.sh:46 main(...)
Exiting with status 1

[saschagrunert]

Would staging/src/k8s.io/apimachinery/pkg/util/seccomp a sufficient location?

At least import-boss does not complain if I import utilfeature "k8s.io/apiserver/pkg/util/feature" in pkg/security/podsecuritypolicy/seccomp/strategy.go…

Edit: I think it will not work because both functions depend on v1 and core.

[liggitt]

You can add k8s.io/kubernetes/pkg/api/pod to the list of allowed imports for kubemark

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• pkg/api/OWNERS [liggitt]
• pkg/registry/OWNERS [liggitt]
• pkg/security/podsecuritypolicy/OWNERS [liggitt]
• test/e2e/framework/OWNERS [liggitt]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[liggitt]

/lgtm

[saschagrunert]

/retest

[pjbgf]

/retest

[saschagrunert]

/retest

[liggitt]

/retest

[pjbgf]

/retest

[saschagrunert]

/retest

[saschagrunert]

/retest

[saschagrunert]

/retest

[saschagrunert]

/retest

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

[saschagrunert]

/retest

[saschagrunert]

/retest

[saschagrunert]

/retest