-
Notifications
You must be signed in to change notification settings - Fork 39k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow setting securityContext in ephemeral containers #99023
Conversation
Skipping CI for Draft Pull Request. |
@verb: This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test all |
/assign @tallclair |
/retest |
This PR may require API review. If so, when the changes are ready, complete the pre-review checklist and request an API review. Status of requested reviews is tracked in the API Review project. |
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
397d0b5
to
babebf7
Compare
@tallclair now that we've got the /hold cancel |
Which release version are we planning to add this support for |
@akifkhan01 Ideally this will merge in time for 1.22. This PR is all that's required for configurable security context. |
/lgtm |
/assign @liggitt |
@@ -85,6 +85,7 @@ var allowedEphemeralContainerFields = map[string]bool{ | |||
"TerminationMessagePath": true, | |||
"TerminationMessagePolicy": true, | |||
"ImagePullPolicy": true, | |||
"SecurityContext": true, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is there any coverage of this field for PodSecurity and PodSecurityPolicy?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For PodSecurityPolicy I added tests to podsecuritypolicy/provider_test.go to run the Container tests on EphemeralContainer as well.
I wasn't following the PSP replacement and didn't know about PodSecurity until you mentioned it. I'm happy to add test coverage there as well once I bring myself up to speed. If the PSP coverage looks sufficient, how do you feel about addressing PodSecurity in a follow-up PR since it's still in alpha?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
as long as there's double opt-in and we have test coverage for the interaction before either this feature or PodSecurity graduates from alpha, that's ok
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
including test coverage for ephemeral containers is in the PodSecurity KEP for alpha → beta graduation
fwiw, running with PodSecurity enabled, I just verified the PodSecurity enforce level already applies to ephemeral containers as well:
FEATURE_GATES=PodSecurity=true,EphemeralContainers=true hack/local-up-cluster.sh
kubectl label ns default pod-security.kubernetes.io/enforce=restricted
kubectl apply -f ~/snippets/pods/restricted_pod.json
kubectl debug restricted -it --image=busybox
Defaulting debug container name to debugger-86nkb.
Error from server (Forbidden): allowPrivilegeEscalation != false (container "debugger-86nkb" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "debugger-86nkb" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "debugger-86nkb" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "debugger-86nkb" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: liggitt, tallclair, verb The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Hi v1.22 Enhancements Lead here. Enhancement 277 was not opted into v1.22. If you would still like to land this change in this release, please file an exception request. /milestone clear |
/retest Review the full test history for this PR. Silence the bot with an |
/milestone v1.22 Exception was approved. |
/retest |
/retest Review the full test history for this PR. Silence the bot with an |
1 similar comment
/retest Review the full test history for this PR. Silence the bot with an |
What type of PR is this?
/kind feature
/sig node
/priority important-soon
What this PR does / why we need it: This adds securityContext to the whitelist of fields allowed in ephemeral containers (kubernetes/enhancements#277).
Which issue(s) this PR fixes:
Fixes #53188
Special notes for your reviewer:
KEP-277 was amended to allow securityContext in kubernetes/enhancements#1690.
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: