Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Built-in PSACT rancher-restricted is not updated to the new version after Rancher is upgraded #43150

Open
jiaqiluo opened this issue Oct 13, 2023 · 6 comments
Open

[BUG] Built-in PSACT rancher-restricted is not updated to the new version after Rancher is upgraded #43150

jiaqiluo opened this issue Oct 13, 2023 · 6 comments
Assignees
@jiaqiluo @markusewalker
Labels
area/psa Pod Security Admission related issues kind/bug Issues that are defects reported by users or that we know have reached a real release QA/S release-note Note this issue in the milestone's release notes security-required status/release-note-added team/hostbusters The team that is responsible for provisioning/managing downstream clusters + K8s version support Waiting for RC Waiting for an RC before this ticket can move. [zube]: Blocked
Milestone
v2.9-Next1

Comments

@jiaqiluo
Copy link
Member

jiaqiluo commented Oct 13, 2023
edited

Rancher Server Setup

  • Rancher version: 2.7.6
  • Installation option (Docker install/Helm Chart): either
    • If Helm Chart, Kubernetes Cluster and version (RKE1, RKE2, k3s, EKS, etc):
  • Proxy/Cert Details:

Information about the Cluster

  • Kubernetes version: any
  • Cluster Type (Local/Downstream): local, either embedded (docker-installed) or external (HA)
    • If downstream, what type of cluster? (Custom/Imported or specify provider for Hosted/Infrastructure Provider):

User Information

  • What is the role of the user logged in? (Admin/Cluster Owner/Cluster Member/Project Owner/Project Member/Custom) any
    • If custom, define the set of permissions:

Describe the bug

In Rancher v2.7.7, Two new entries, cattle-provisioning-capi-system and cattle-fleet-local-system, are added to the exemptions.namespaces list in the built-in PodSecurityAdmissionConfigurationTemplates (PSACTs) rancher-restricted. (PR)

However, Rancher lacks the ability to update the existing PSACT, rancher-restricted in this case, so when we upgrade Rancher from 2.7.6 to 2.7.7, rancher-restricted is not updated to the new version, i.e. the new entries are missing.

To Reproduce

  • run Rancher v2.7.6
  • notice that a PSACT rancher-restricted is created in the local cluster
  • upgrade Rancher to v2.7.7 or later
  • check the PSACT rancher-restricted

Result

The value of the PSACT rancher-restricted is unchanged: it is NOT updated to include cattle-provisioning-capi-system and cattle-fleet-local-system

Expected Result

Rancher should update the PSACT rancher-restricted to include cattle-provisioning-capi-system and cattle-fleet-local-system under the exemptions.namespaces list.

Screenshots

Additional context
@jiaqiluo jiaqiluo added kind/enhancement Issues that improve or augment existing functionality [zube]: Team Area 2 labels Oct 13, 2023
@snasovich snasovich added release-note Note this issue in the milestone's release notes [zube]: Release Note labels Oct 13, 2023
@Sahota1225 Sahota1225 added this to the v2.8.0 milestone Oct 13, 2023
@jiaqiluo jiaqiluo changed the title [RFE] Support updating existing PSACT rancher-privileged and rancher-restricted [BUG] Built-in PSACT rancher-restricted is not updated to the new version after Rancher is upgraded Oct 13, 2023
@jiaqiluo jiaqiluo added kind/bug Issues that are defects reported by users or that we know have reached a real release and removed kind/enhancement Issues that improve or augment existing functionality labels Oct 13, 2023
@jiaqiluo
Copy link
Member Author

jiaqiluo commented Oct 13, 2023
edited

Workaround:

Update the PSACT rancher-restricted to add cattle-provisioning-capi-system and cattle-fleet-local-system under the exemptions.namespaces list. This can be done via Rancher UI, kubectl, or other means.

@martyav
Copy link
Contributor

martyav commented Oct 13, 2023

@jiaqiluo or @btat Added to release notes. Re-requested permissions to add labels to this repo

@snasovich snasovich added the team/hostbusters The team that is responsible for provisioning/managing downstream clusters + K8s version support label Nov 16, 2023
@snasovich snasovich modified the milestones: v2.8.0, v2.8-Next1 Nov 16, 2023
@snasovich
Copy link
Collaborator

Moved to next milestone as release note was added to draft version.

@jiaqiluo jiaqiluo self-assigned this Nov 28, 2023
@Oats87 Oats87 added the area/psa Pod Security Admission related issues label Dec 5, 2023
@snasovich
Copy link
Collaborator

Added security-required label and moved to "Blocked" status as we're awaiting the security team's evaluation of approaches to address this issue.

@zube zube bot removed the [zube]: Working label Jan 22, 2024
@jiaqiluo jiaqiluo mentioned this issue Apr 17, 2024
Merged
@jiaqiluo
Copy link
Member Author

Root cause

Rancher lacks the ability to update the existing built-in PSACTs.

What was fixed, or what changes have occurred

Now, Rancher can update the built-in PSACTs on Rancher's start-up.

it is worth mentioning that Rancher will update the built-in PSACTs in a way that preserves the user's additions to the exemptions and merges everything from the built-in template into the existing one, which means that any value that is from the built-in template but removed by users will be added back. This is to make sure Rancher and its components work properly.

The above logic is applied to all three fields under the .Configuration.Exemptions: Namespaces, Usernames, and RuntimeClasses. Currently, the PSACT rancher-restricted utilizes only Namespaces.

Areas or cases that should be tested

Case 1: Upgrade Rancher from version A to B where the built-in template for the PSACT rancher-restricted is changed ( ie. new namespaces are added to the exception list).

Case 2: Upgrade Rancher from version A to B where the user makes some changes on rancher-restricted while on version A.

In both cases, we would like to see the PSACT rancher-restricted contains the union of the new template and the user's customization (if there is any).

What areas could experience regressions?

After upgrading Rancher, the PSACT rancher-restricted is not upgraded or the user's customization is lost.

Are the repro steps accurate/minimal?

yes

@jiaqiluo jiaqiluo added the Waiting for RC Waiting for an RC before this ticket can move. label Apr 29, 2024
@jiaqiluo
Copy link
Member Author

Wait for Rancher RC

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jiaqiluo jiaqiluo

@markusewalker markusewalker

Labels
area/psa Pod Security Admission related issues kind/bug Issues that are defects reported by users or that we know have reached a real release QA/S release-note Note this issue in the milestone's release notes security-required status/release-note-added team/hostbusters The team that is responsible for provisioning/managing downstream clusters + K8s version support Waiting for RC Waiting for an RC before this ticket can move. [zube]: Blocked
Projects
None yet
Milestone
v2.9-Next1
Development

No branches or pull requests
9 participants
@btat @jiaqiluo @slickwarren @martyav @Oats87 @markusewalker @Jono-SUSE-Rancher @snasovich @Sahota1225