Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PodSecurity] baseline - apparmor #103378

Merged
merged 1 commit into from
Jul 2, 2021
Merged

[PodSecurity] baseline - apparmor #103378

merged 1 commit into from
Jul 2, 2021

Conversation

n4j
Copy link
Member

@n4j n4j commented Jun 30, 2021

What type of PR is this?

/kind feature

What this PR does / why we need it:

Implement the "AppArmor" check from https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline

  • Disallows containers and initContainers with uncofined AppArmor annotation

Which issue(s) this PR fixes:

Fixes #103200

Special notes for your reviewer:

NONE

Does this PR introduce a user-facing change?

NONE

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

- [KEP]: https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2579-psp-replacement

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/feature Categorizes issue or PR as related to a new feature. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jun 30, 2021
@k8s-ci-robot
Copy link
Contributor

@n4j: This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Jun 30, 2021
@k8s-ci-robot k8s-ci-robot added the sig/auth Categorizes an issue or PR as relevant to SIG Auth. label Jun 30, 2021
@k8s-ci-robot
Copy link
Contributor

Hi @n4j. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jun 30, 2021
@n4j
Copy link
Member Author

n4j commented Jun 30, 2021

/assign @tallclair @liggitt

@n4j n4j mentioned this pull request Jun 30, 2021
Closed
@liggitt liggitt removed their assignment Jun 30, 2021
@liggitt
Copy link
Member

liggitt commented Jun 30, 2021

@tallclair will take lead reviewing this one

@liggitt
Copy link
Member

liggitt commented Jun 30, 2021

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jun 30, 2021
tallclair
tallclair suggested changes Jun 30, 2021
View reviewed changes
Copy link
Member

@tallclair tallclair left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for picking this up!

staging/src/k8s.io/pod-security-admission/policy/check_apparmor.go Show resolved Hide resolved
staging/src/k8s.io/pod-security-admission/policy/check_apparmor.go Show resolved Hide resolved
staging/src/k8s.io/pod-security-admission/policy/check_apparmor.go Outdated Show resolved Hide resolved
staging/src/k8s.io/pod-security-admission/policy/check_apparmor.go Outdated Show resolved Hide resolved
staging/src/k8s.io/pod-security-admission/policy/check_apparmor.go Outdated Show resolved Hide resolved
staging/src/k8s.io/pod-security-admission/policy/check_apparmor.go Outdated Show resolved Hide resolved
staging/src/k8s.io/pod-security-admission/test/fixtures_apparmor.go Outdated Show resolved Hide resolved
@n4j n4j requested a review from tallclair June 30, 2021 19:21
@n4j
Copy link
Member Author

n4j commented Jun 30, 2021

@tallclair Thanks for the PR comments :)

Can you please re-review?

@n4j n4j requested a review from tallclair July 1, 2021 01:47
@liggitt liggitt self-assigned this Jul 1, 2021
@liggitt
Copy link
Member

liggitt commented Jul 1, 2021

looks good, just a couple tweaks to the test fixtures (don't forget to regenerate fixtures and squash after making the updates)

@n4j n4j force-pushed the feature/podSecurityApparmor_v2 branch from 3de8300 to 1d803ed Compare July 1, 2021 16:34
@n4j n4j requested a review from liggitt July 1, 2021 16:36
@n4j
Copy link
Member Author

n4j commented Jul 1, 2021

/test pull-kubernetes-integration

@k8s-ci-robot k8s-ci-robot added the do-not-merge/contains-merge-commits Indicates a PR which contains merge commits. label Jul 1, 2021
liggitt
liggitt reviewed Jul 1, 2021
View reviewed changes
pkg/security/podsecuritypolicy/sysctl/mustmatchpatterns.go Outdated
@@ -35,6 +35,7 @@ func SafeSysctlWhitelist() []string {
"net.ipv4.ip_local_port_range",
"net.ipv4.tcp_syncookies",
"net.ipv4.ping_group_range",
"net.ipv4.ip_unprivileged_port_start",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm surprised to see this... bad rebase?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, give me a moment to fix this

@n4j n4j force-pushed the feature/podSecurityApparmor_v2 branch from bbb46fb to 817901d Compare July 1, 2021 17:50
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/contains-merge-commits Indicates a PR which contains merge commits. label Jul 1, 2021
@n4j
[PodSecurity] baseline - apparmor
8049448 
Implement the "AppArmor" check from https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline

- AppArmor check
- Fixtures
- UnitTest case
@n4j
Copy link
Member Author

n4j commented Jul 1, 2021

Raised #103412 due to bad rebase issues

@n4j n4j closed this Jul 1, 2021
@tallclair
Copy link
Member

@n4j I'd prefer to keep this PR open to maintain the comment history. Ping me on slack if you want, and i can help you resolve the rebase issues. If #103412 has what you want, the following should work:

git checkout feature/podSecurityApparmor_v2
git reset --hard feature/appArmor_v3
git push -f origin feature/podSecurityApparmor_v2

@tallclair tallclair reopened this Jul 1, 2021
@tallclair tallclair mentioned this pull request Jul 1, 2021
Closed
@n4j n4j force-pushed the feature/podSecurityApparmor_v2 branch from 817901d to 8049448 Compare July 1, 2021 21:57
@n4j
Copy link
Member Author

n4j commented Jul 1, 2021

@tallclair / @liggitt Please re-review.

@n4j n4j requested a review from liggitt July 1, 2021 22:00
tallclair
tallclair approved these changes Jul 1, 2021
View reviewed changes
Copy link
Member

@tallclair tallclair left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

Thanks!

staging/src/k8s.io/pod-security-admission/policy/check_apparmor_test.go
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

func TestCheckAppArmor(t *testing.T) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for the unit test!

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 1, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: n4j, tallclair

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 1, 2021
@k8s-ci-robot k8s-ci-robot merged commit 2627808 into kubernetes:master Jul 2, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.22 milestone Jul 2, 2021
@n4j n4j deleted the feature/podSecurityApparmor_v2 branch July 2, 2021 03:05
@n4j n4j mentioned this pull request Jul 7, 2021
Closed
6 tasks
@liggitt liggitt mentioned this pull request Jul 10, 2021
Closed
12 tasks
@pacoxu pacoxu mentioned this pull request Sep 10, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tallclair tallclair tallclair approved these changes

@deads2k deads2k Awaiting requested review from deads2k

@krmayankk krmayankk Awaiting requested review from krmayankk

@liggitt liggitt Awaiting requested review from liggitt

Assignees

@liggitt liggitt

@tallclair tallclair

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note-none Denotes a PR that doesn't merit a release note. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
v1.22
Development

Successfully merging this pull request may close these issues.

[PodSecurity] baseline - apparmor
4 participants
@n4j @k8s-ci-robot @liggitt @tallclair