Security Standards for both Windows and Linux#29855
Security Standards for both Windows and Linux#29855ravisantoshgudimetla wants to merge 1 commit intokubernetes:mainfrom
Conversation
Some of the current pod security standards may not work for both Windows and Linux pods. This commit is an attempt to audit existing pod security standards and label them based on their relevance to a particular OS.
k8s-ci-robot
added
cncf-cla: yes
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
k8s-ci-robot
added
language/en
|
/sig security |
k8s-ci-robot
added
the
sig/security
|
✔️ Deploy Preview for kubernetes-io-main-staging ready! 🔨 Explore the source changes: be8a980 🔍 Inspect the deploy log: https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/61546ba595f0c30008fd82d9 😎 Browse the preview: https://deploy-preview-29855--kubernetes-io-main-staging.netlify.app |
| <td style="white-space: nowrap">Host Namespaces</td> | ||
| <td> | ||
| <p>Sharing the host namespaces must be disallowed.</p> | ||
| <p>Sharing the host namespaces must be disallowed. This is a Linux specific field and should not be used for Windows Pods.</p> |
There was a problem hiding this comment.
does it make sense to mention the fact that this will be effectively only possible with the new Windows KEP being in place?
There was a problem hiding this comment.
we would not add OS-specific docs to this check... no matter the OS of the pod, this policy would disallow this field
There was a problem hiding this comment.
So, what should the admission plugin do? Throw an error saying:
This field is not allowed when baseline policy is enabled?
or
This field is not allowed for Windows pod and cannot be used with baseline profile even for linux pods to give user a more specific error?
or are you saying let's not update the docs for OS specific fields if they are already validated based on values(sometimes nil or undefined etc).
There was a problem hiding this comment.
All the checks that forbid specific fields/values can remain unchanged, even if those fields are OS-specific. For example, the baseline policy can forbid privileged: true, regardless of whether the pod is a windows pod or not.
(API validation could additionally complain if you set a linux-specific field on an explicitly windows pod, but that would not be done by the pod security admission plugin)
The checks that currently require specific fields to be set (which are all in the restricted policy) are what we would make conditional on the pod OS.
There was a problem hiding this comment.
(API validation could additionally complain if you set a linux-specific field on an explicitly windows pod, but that would not be done by the pod security admission plugin)
I am doing it here - kubernetes/kubernetes#104693
The checks that currently require specific fields to be set (which are all in the restricted policy) are what we would make conditional on the pod OS.
Ok, I'll make changes to restricted profile only then.
| <td style="white-space: nowrap">Privileged Containers</td> | ||
| <td> | ||
| <p>Privileged Pods disable most security mechanisms and must be disallowed.</p> | ||
| <p>Privileged Pods disable most security mechanisms and must be disallowed. This is a Linux specific field and should not be used for Windows Pods.</p> |
There was a problem hiding this comment.
we would not add OS-specific docs to this check... no matter the OS of the pod, this policy would disallow this field
There was a problem hiding this comment.
So, what should the admission plugin do? Throw an error saying:
This field is not allowed when baseline policy is enabled?
or
This field is not allowed for Windows pod and cannot be used with baseline profile even for linux pods to give user a more specific error?
| <td style="white-space: nowrap">Capabilities</td> | ||
| <td> | ||
| <p>Adding additional capabilities beyond those listed below must be disallowed.</p> | ||
| <p>Adding additional capabilities beyond those listed below must be disallowed. This is a Linux specific field and should not be used for Windows Pods.</p> |
There was a problem hiding this comment.
we would not add OS-specific docs to this check... no matter the OS of the pod, this policy would disallow this field
There was a problem hiding this comment.
So, what should the admission plugin do? Throw an error saying:
This field is not allowed when baseline policy is enabled?
or
This field is not allowed for Windows pod and cannot be used with baseline profile even for linux pods to give user a more specific error?
| <td style="white-space: nowrap">AppArmor</td> | ||
| <td> | ||
| <p>On supported hosts, the <code>runtime/default</code> AppArmor profile is applied by default. The baseline policy should prevent overriding or disabling the default AppArmor profile, or restrict overrides to an allowed set of profiles.</p> | ||
| <p>On supported hosts, the <code>runtime/default</code> AppArmor profile is applied by default. The baseline policy should prevent overriding or disabling the default AppArmor profile, or restrict overrides to an allowed set of profiles. This is a Linux specific field and should not be used for Windows Pods.</p> |
There was a problem hiding this comment.
we would not add OS-specific docs to this check... no matter the OS of the pod, this policy should be enforced (since it permits an undefined value)
There was a problem hiding this comment.
So, if the field permits undefined values, we should let the pod security validation pass if there are undefined values? I thought we can outright reject pods if they have mismatched fields(based on OS) in the pod or container security context
| <td style="white-space: nowrap">SELinux</td> | ||
| <td> | ||
| <p>Setting the SELinux type is restricted, and setting a custom SELinux user or role option is forbidden.</p> | ||
| <p>Setting the SELinux type is restricted, and setting a custom SELinux user or role option is forbidden. This is a Linux specific field and should not be used for Windows Pods.</p> |
There was a problem hiding this comment.
we would not add OS-specific docs to this check... no matter the OS of the pod, this policy should be enforced (since it permits omitting the field)
There was a problem hiding this comment.
So, if the field permits undefined values, we should let the pod security validation pass? I thought we can outright reject pods if they have mismatched fields in the pod or container security context
| <td style="white-space: nowrap">Seccomp (v1.19+)</td> | ||
| <td> | ||
| <p>Seccomp profile must be explicitly set to one of the allowed values. Both the <code>Unconfined</code> profile and the <em>absence</em> of a profile are prohibited.</p> | ||
| <p>Seccomp profile must be explicitly set to one of the allowed values. Both the <code>Unconfined</code> profile and the <em>absence</em> of a profile are prohibited. This is a Linux specific field and should not be used for Windows Pods.</p> |
There was a problem hiding this comment.
This check WILL be OS-specific once that support is added to pods, and will not apply to windows pods, but we should not update this doc until that feature lands (planned for alpha in 1.23)
There was a problem hiding this comment.
Right. This PR is supposed to merge after the code changes are in place.
| @@ -422,7 +422,7 @@ fail validation. | |||
| <td> | |||
| <p> | |||
| Containers must drop <code>ALL</code> capabilities, and are only permitted to add back | |||
There was a problem hiding this comment.
This check WILL be OS-specific once that support is added to pods, and will not apply to windows pods, but we should not update this doc until that feature lands (planned for alpha in 1.23)
There was a problem hiding this comment.
Right. This PR is supposed to merge after the code changes are in place.
There was a problem hiding this comment.
See kubernetes/enhancements#2802 (comment) for the request for docs.
|
/sig auth @ravisantoshgudimetla if you're planning this to document changes for Kubernetes v1.23, please target the dev-1.23 branch. It will also be useful to let the release-docs team know you've opened this (if you haven't already said so). |
k8s-ci-robot
added
the
sig/auth
k8s-ci-robot
added
size/XXL
k8s-ci-robot
added
size/S
Will do that @sftim. Thank you :) |
@ravisantoshgudimetla can you please do this? |
|
/sig windows |
k8s-ci-robot
added
the
sig/windows
This is not needed for 1.23. @enj can you add appropriate milestone for this(1.25 in this case) |
|
If this issue isn't about documenting current Kubernetes behavior, or changes planned for an upcoming release, I suggest transferring the issue to https://github.com/kubernetes/sig-security I'll highlight this in Slack too. |
|
@ravisantoshgudimetla would you be willing to revise the PR description to link to https://github.com/kubernetes/enhancements/blob/master/keps/sig-windows/2802-identify-windows-pods-apiserver-admission/ as well ? |
|
/hold |
k8s-ci-robot
added
the
do-not-merge/hold
|
I should add some context to my comment, I held this PR for after the release and copied Jesse in as the SIG Docs lead to keep an eye on it in the |
|
@ravisantoshgudimetla: PR needs rebase. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-rebase
|
@ravisantoshgudimetla as this is pointed at |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
Based on #29855 (review) it doesn't look as if this change would go through as-s. @ravisantoshgudimetla I'm going to close this PR. You might like to file an issue (against https://github.com/kubernetes/website) to describe the defect you're experiencing or the improvement that you'd like to see. |
|
@sftim: Closed this PR. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
10 participants
Some of the current pod security standards may not work for both Windows and Linux pods. This commit is an attempt to audit existing pod security standards and label them based on their relevance to a particular OS.
xref: kubernetes/enhancements#2803