Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[KEP-127] Add Pod Security Standards to User Namespaces KEP #4044

Merged
merged 1 commit into from
Jun 15, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 48 additions & 2 deletions keps/sig-node/127-user-namespaces/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
- [Example without idmap mounts](#example-without-idmap-mounts)
- [Example with idmap mounts](#example-with-idmap-mounts)
- [Regarding the previous implementation for volumes](#regarding-the-previous-implementation-for-volumes)
- [Pod Security Standards (PSS) integration](#pod-security-standards-pss-integration)
- [Unresolved](#unresolved)
- [Test Plan](#test-plan)
- [Prerequisite testing updates](#prerequisite-testing-updates)
Expand Down Expand Up @@ -317,7 +318,7 @@ way, the Kubelet can read all the allocated mappings if it restarts.
During alpha, to make sure we don't exhaust the host UID namespace, we will
limit the number of pods using user namespaces to `min(maxPods, 1024)`. This
leaves us plenty of host UID space free and this limits is probably never hit in
practice. See UNRESOLVED for more some UNRESOLVED info we still have on this.
practice. See the [Unresolved section](#unresolved) for more details on this.

### Handling of volumes

Expand Down Expand Up @@ -407,6 +408,44 @@ components that implement the interface.

[kubeletVolumeHost-interface]: https://github.com/kubernetes/kubernetes/blob/36450ee422d57d53a3edaf960f86b356578fe996/pkg/volume/plugins.go#L322

### Pod Security Standards (PSS) integration

[Pod Security Standards](https://k8s.io/docs/concepts/security/pod-security-standards)
define three different policies to broadly cover the whole security spectrum of
Kubernetes, while the User Namespaces feature should integrate into them. This
will happen only if the feature is graduated to GA, which _may_ result in
changing the `Restricted` profile to disallow host user namespaces for stateless
Pods.

The Pod Security will relax in a controlled way for pods which enable user
namespaces. This behavior can be controlled by an API Server Feature Gate, which
allows an early opt-in for end users. The overall burden to ensure that all
nodes will honor user namespaces is on the cluster admin, though. The relaxation
in detail means, that if user namespaces are enabled, then the following fields
won't be restricted any more because they always have to refer to the user
inside the container:

- `spec.securityContext.runAsNonRoot`
- `spec.containers[*].securityContext.runAsNonRoot`
- `spec.initContainers[*].securityContext.runAsNonRoot`
- `spec.ephemeralContainers[*].securityContext.runAsNonRoot`
- `spec.securityContext.runAsUser`
- `spec.containers[*].securityContext.runAsUser`
- `spec.initContainers[*].securityContext.runAsUser`
- `spec.ephemeralContainers[*].securityContext.runAsUser`
- `spec.containers[*].securityContext.allowPrivilegeEscalation`
- `spec.initContainers[*].securityContext.allowPrivilegeEscalation`
- `spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation`
- `spec.containers[*].securityContext.capabilities.drop`
- `spec.initContainers[*].securityContext.capabilities.drop`
- `spec.ephemeralContainers[*].securityContext.capabilities.drop`
- `spec.containers[*].securityContext.capabilities.add`
- `spec.initContainers[*].securityContext.capabilities.add`
- `spec.ephemeralContainers[*].securityContext.capabilities.add`

saschagrunert marked this conversation as resolved.
Show resolved Hide resolved
A serial test will be added to validate the functionality with the enabled
feature gate.

### Unresolved

Here is a list of considerations raised in PRs discussion that hasn't yet
Expand Down Expand Up @@ -532,20 +571,27 @@ use container runtime versions that have the needed changes.
### Graduation Criteria

##### Alpha

- Support with idmap mounts
- Gather and address feedback from the community
saschagrunert marked this conversation as resolved.
Show resolved Hide resolved
- Add API Server feature flag to integrate into [Pod Security Standards (PSS)](#pod-security-standards-pss-integration)
- Changing restrictions on the what volumes will be allowed

##### Beta

- Make plans on whether, when, and how to enable by default

###### Open Questions

- Should we reconsider making the mappings smaller by default?
- Should we allow any way for users to for "more" IDs mapped? If yes, how many more and how?
- Should we allow the user to ask for specific mappings?
- Get review from VM container runtimes maintainers
- Gather and address feedback from the community

##### GA

- Gather and address feedback from the community
- Fully integrate into [Pod Security Standards (PSS)](#pod-security-standards-pss-integration)

### Upgrade / Downgrade Strategy

Expand Down
3 changes: 2 additions & 1 deletion keps/sig-node/127-user-namespaces/kep.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ kep-number: 127
authors:
- "@rata"
- "@giuseppe"
- "@saschagrunert"
owning-sig: sig-node
participating-sigs: []
status: implementable
Expand All @@ -15,7 +16,7 @@ approvers:
- "@derekwaynecarr"

stage: alpha
latest-milestone: "v1.27"
latest-milestone: "v1.28"
milestone:
alpha: "v1.25"
SergeyKanzhelev marked this conversation as resolved.
Show resolved Hide resolved

Expand Down