-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal: Policy Extension Point #18647
Comments
/cc @lxpollitt - I know we had some discussions on policy a while back so this may be of interest |
Clarification Points: How is this different from AuthZ1) Policy Engines should (eventually) have the ability to change the configuration of a container It's possible to "guess" the user intent from the configuration and change the config appropriately - as opposed to failing and asking them to re-run with the right configuration. This was omitted from the original proposal as to do so we'd need to put containers in a state that requires user intervention, effectively making the remote API asynchronous. In this case, it would be advantageous to give a user a Yes/No prompt to see if they agree with the policy changes, or you may want to defer that decision to somebody with override permissions. Additionally, changing the configuration of a running container is also necessary (perhaps via #15078) if the policy changes, which brings us to point 2. 2) Policies are dynamic Where AuthZ is reacting to specific user input (e.g can I run this?), a Policy Engine is proactive. 3) There are parts of the container config that are outside the control of the Docker Engine We pass the a reference to the computed policies to drivers (Network/IPAM/Volume etc...) so they can apply the policy - assuming they know how to contact the policy engine. E.g a network driver could write different QoS settings based on the policies applied Why not just use Labels?Labels can appear from within a Dockerfile using E.g If a Labels are also not being passed to Network drivers and as such they would not be in a position to enforce a policy. |
Feels like this is heading in a good and sensible direction, but lots of questions we would like to ask to understand more fully. I've just been discussing with @tomdee. He'll comment shortly in a bit more depth. |
I've taken a look over this and tried to understand it all. It seems like a useful feature but there are some areas that I think would be really useful to spec out in a little more detail.
Based on what I've understood (as outlined above), I'm concerned about this
The policy engine is going to pass data to plugins, that the plugins need to act on but you're not defining what this data is. You're simply saying that the user must select ones that work together which kind of implies that they all need to be written by the same person. This is fine for Docker, since you'll provide a complete suite of batteries included plugins, but isn't very good for people that only have a single type of plugin (e.g. a network plugin). Does it mean that they need to write a compatible policy engine? Will that policy engine have to enforce unrelated concerns too (e.g. things relevant to volumes, even though it's written by a network driver writer) or will policy engines be composable in some way? If the default Docker policy engine (I'm presuming there will be one?) defines a policy definition language that allows constraints to include arbitrary key/values that can be consumed by the drivers then I think that alleviates most of my concerns. e.g. an infrastruture provider could specify a constraint that ensures that all users with certain level of service get an arbitrary key/value that will be passed down to the network driver for it to consume. |
Preferably not. Rather, the engine should derive the correct network policy from the combination of abstract labels e.g
Not at this time. As a follow up to this, I'd welcome a discussion on creating a standard set of key/value pairs that drivers can expect to act upon + an interface to allow them to talk to the policy engine. Also, a discussion on creating a policy description language (something like Docker Compose) and a policy engine. As those discussions are likely to take much longer IMO, I thought it would be prudent to lead with the plumbing first to unblock people that want to provide a full stack of plugins with support for policy. |
can we have a clear explanation about why this must be implemented at the engine level and not by a something else on top of the engine? At first glance, this looks very specific to @jainvipin's use case. As @tomdee points out, other plugins providers are not going to be able to use this unless we provide a set of standard and understandable rules that they can use. As you mention, we're not going to provide this for now, which makes this feature less useful. I'm personally not very sold in this proposal, as it seems to be very focused on solving a very specific use case. I'm also very open to reconsider my position of we can agree that this is absolutely necessary inside the engine and we can define something that everyone can take advantage of. |
@calavera Thanks for sharing your thoughts on this. Please allow me to take advantage of Three parts to the response, first discuss the use cases and if they are generic, second one on why in a docker-engine. Some very simple use cases that I believe are generic:
I don't want to burden with more and elaborate use cases here, but there are many that will require drivers to know the network/storage policy for the containers. I will be happy to talk about them in a hangout session if that works best. Why does it belong in docker-engine:
Compatibility with disjoint set of plugins:
Even if you believe these are specific use cases, for that reason the 'default policy plugin' need not be there, but if (remote or local) drivers can get the policy attributes via policy plugin it is a big enabler for the use cases in Docker eco-system. I will also let @tomdee, @lxpollitt, @bboreham and others comment on their perspective... |
Update: This proposal was discussed at the last maintainers meeting and we discussed that Policy (from a plumbing perspective) could be a AuthZ plugin, or an extension of the AuthZ plugin protocol. I'm looking in to the details of that today. Secondly, it was agreed that adding Policy isn't really useful if we don't define a standard - e.g some high level policy objects that can be supported by all drivers. I suggested we start with Network Policy as there are enough interested parties to start fleshing something out. |
@jainvipin it seems you make a good case for docker-engine to know the policy, and to supply it as needed to plugins, end-users, etc., but your examples give no rationale for docker-engine to implement policy. More broadly, I would like clarification around the proposed mechanism - the example of "label ‘environment=production’" seems like it makes sense for container labels but not for image labels - you'd want to run an image pre-production for test purposes, then bless the same image as "production" once it passed tests. "receive preferred access to memory" does not seem to be compatible with the "permit or deny" response - how is this intended to work? Are there some specific use-cases that drive the requirement? Note for clarity: I work for Weaveworks. We do get people asking how they can prevent things happening, generally developers connecting random things into production without Ops knowing about it. |
@bboreham - some follow-ups...
your observation is correct about my examples rationalizing docker engine to know vs implement the policy. I was thinking three things being considered implemented in stages that cover
Some of the labels on which policy acts are really run-time labels, not image labels. However I can have an image label that describes application as 'background' which really could hint the drivers to apply different policy than the rest of applications.
Permit with a policy, is application classification for infrastructure resource usage, and thus I see this to be a part of permit action fitting well. This is basic form of prioritization, for example an application can be automatically be put in class of applications that can not be evicted (scheduler policy), however in terms of network it could simply mean providing it a specific Mbps and CoS values for the traffic wihin the network, which in the network gets used for buffer allocation and scheduling. Disclaimer: I work for Cisco |
Having done some research, it would be possible to implement this as an AuthZ plugin. Docs: The Plugin Helper In order to do so, we would still need:
For this to progress, I suggest that we:
With that in mind, I'm going to close this issue with a view to moving the discussion elsewhere (action @jainvipin to post a link) |
I've been working with @jainvipin on the following proposal for the last week or so...
Introduction
In an enterprise environment, strict control over how the infrastructure is running is required is required to ensure compliance with either business policies or with regulations such as those imposed by HIPAA, SOX or PCI etc…
While the work on AuthN #13697 and AuthZ #14674 will allow us to provide Role-Based Access Control (RBAC) this deals with who can execute commands and what can they execute. Policy is complementary to this as it is focussed on how the container is being run.
Neither of these concepts are native to the Docker Engine and it is expected that a Policy Engine is responsible for implementing them.
The following would be examples of policy:
A Policy Engine is responsible for determining:
In order for these decisions to be made, I'm proposing that we add a Policy Extension Point to the Docker Engine.
Requirements
In order for this decision to be made, the policy engine should be passed the
ContainerConfig
andHostConfig
. It may use any of the passed parameters like 'labels', 'network', 'exposed ports', 'domain name', 'ENV' to specify a language to implement a selector.In Future, we may also pass information about the Authenticated User and Roles applied once AuthN and AuthZ work has concluded
The policy engine should also have the opportunity to make changes to the configuration.
As there are cases where the Docker Engine is not responsible for enforcing the result of policy, for example, when the implementation is handled by a Docker Plugin, it is recommended that the result of the policy engine’s computations should be written to the
HostConfig
in such a way that it can be interpreted by the necessary drivers.The fundamental reason for being to override behaviour is that constraints are specified by someone who has override authority above whoever is doing 'docker run'.
In general, there are multiple roles in the infra:
The override rules are specified by the SRE/Ops person who is responsible for security, and well maintained application infrastructure. The infrastructure operator who wants to offer a set of profiles may also create policies to be consumed by the application SRE/Ops person to use to run those applications.
It’s the responsibility of the user to choose a compatible Policy Engine, Network Driver, IP Addressing Driver, Volume Driver combination. The communication between these components is expected to take place out-of-band and is outside the scope of this proposal.
Proposed Implementation
Changes to HostConfig
A new field should be added to HostConfig in support of this change
Changes to existing plugin protocols
The Policy field from HostConfig should also be passed as part of the Plugin protocol for Networks, IPAM and Volumes.
Policy Extension Point
The implementation centers around a new Policy Engine extension point.
The suggested protocol is as follows:
PolicyEngine.CreateContainer
This method should be called before the container is started
Request:
The request contains the
ContainerConfig
andHostConfig
so the policy engine can derive which policies should apply in this instance. In future, this could be expanded to include additional context, for example, the authenticated user that is making the requestResponse:
The response contains facility to return a human readable error message in the case of a problem in the container configuration.
The
Action
field determines whether a container can be run:permit
- run the container without modificationdeny
- do not run the containerIn every case other than
permit
, theReason
field should be completed to provide feedback to the user.In all cases other than
deny
, the MapHostConfig.Policy
should contain results from the policy engine that contains information about any policies that were applied.The keys in the
Policy
field should conform to the same reverse DNS notation used by labels.UX Considerations
Select a policy engine
Run in-policy container
Run out-of-policy container
Swarm Considerations
This proposal should work seamlessly with Swarm today, provided that all Engines within a swarm are configured with identical
--policy-engine
flagsIt is clearly desirable for Swarm to be able to apply policy before the request is dispatched to a Docker Engine. Our recommendation would be to extend Swarm and to allow it to do this using the same plugin protocol… This way, policy could be enforced at both the cluster and the host level
The text was updated successfully, but these errors were encountered: