Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PodSecurity] Add annotations denoting the exemption reason and the enforcement policy used #105908

Merged
merged 3 commits into from Nov 1, 2021
Merged

[PodSecurity] Add annotations denoting the exemption reason and the enforcement policy used #105908

merged 3 commits into from Nov 1, 2021

Conversation

stlaz
Copy link
Member

@stlaz stlaz commented Oct 26, 2021

What type of PR is this?

/kind feature

What this PR does / why we need it:

This PR adds a couple of annotations for the PodSecurity admission. These annotations are supposed to bring more clarity into how the pod was being evaluated. It also changes the audit annotation on audit violations to audit-violation to distinguish it from the namespace annotation used to mark the audit policy level.

Which issue(s) this PR fixes:

Fixes #103923

Special notes for your reviewer:

Does this PR introduce a user-facing change?

The pods and pod controllers that are exempted from the PodSecurity admission process are now marked with the "pod-security.kubernetes.io/exempt: user/namespace/runtimeClass" annotation, based on what caused the exemption.

The enforcement level that allowed or denied pod during PodSecurity admission is now marked by the "pod-security.kubernetes.io/enforce-policy" annotation.

The annotation that informs about audit policy violations changed from ""pod-security.kubernetes.io/audit" to ""pod-security.kubernetes.io/audit-violation".

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

[KEP]: https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/2579-psp-replacement/README.md

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Oct 26, 2021
@k8s-ci-robot
Copy link
Contributor

@stlaz: This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot
Copy link
Contributor

Hi @stlaz. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Oct 26, 2021
@k8s-ci-robot k8s-ci-robot added sig/auth Categorizes an issue or PR as relevant to SIG Auth. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Oct 26, 2021
@tallclair tallclair added this to In Review in SIG-Auth: PodSecurity via automation Oct 27, 2021
tallclair
tallclair reviewed Oct 27, 2021
View reviewed changes
Copy link
Member

@tallclair tallclair left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Left a few small suggestions.

staging/src/k8s.io/pod-security-admission/admission/admission.go Outdated
@@ -427,7 +437,7 @@ func (a *Admission) EvaluatePod(ctx context.Context, nsPolicy api.Policy, nsPoli

// TODO: reuse previous evaluation if audit level+version is the same as enforce level+version
if result := policy.AggregateCheckResults(a.Evaluator.EvaluatePod(nsPolicy.Audit, podMetadata, podSpec)); !result.Allowed {
auditAnnotations["audit"] = fmt.Sprintf(
auditAnnotations["audit-violation"] = fmt.Sprintf(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

KEP has this pluralized. Singular might make more sense, but we should update the KEP to match.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I might have just overlooked the plural, this should be fixed now

staging/src/k8s.io/pod-security-admission/admission/admission.go Outdated
Comment on lines 311 to 316
if a.exemptNamespace(attrs.GetNamespace()) {
return allowedByExemptResponse("namespace")
}

if a.exemptUser(attrs.GetUserName()) {
return allowedByExemptResponse("user")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should cache a shared response for these (one for each exemption). The exemption flow isn't quite as performance critical as privileged, but I'd still like to keep it fast.

The runtimeClass exemption doesn't need to be as fast, but it probably simplifies things to just make it consistent with the other 2.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I used the same pattern as the allowed response is using, then

staging/src/k8s.io/pod-security-admission/api/constants.go Outdated
Comment on lines 47 to 49
ExemptionReasonLabel = labelPrefix + "exempt"
AuditViolationLabel = labelPrefix + "audit-violation"
EnforcedPolicyLabel = labelPrefix + "enforce-policy"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently unused. I like having these here though, so I recommend updating admission.go to refer to them. Also rename.

Suggested change
ExemptionReasonLabel = labelPrefix + "exempt"
AuditViolationLabel = labelPrefix + "audit-violation"
EnforcedPolicyLabel = labelPrefix + "enforce-policy"
ExemptionReasonAnnotationKey = "exempt"
AuditViolationAnnotationKey = "audit-violation"
EnforcedPolicyAnnotationKey = "enforce-policy"

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the suggestion, it should be incorporated in the PR now.

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 28, 2021
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 1, 2021
@enj enj added this to Needs Triage in SIG Auth Old Nov 1, 2021
tallclair
tallclair approved these changes Nov 1, 2021
View reviewed changes
Copy link
Member

@tallclair tallclair left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

SIG Auth Old automation moved this from Needs Triage to In Progress Nov 1, 2021
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 1, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: stlaz, tallclair

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 1, 2021
@liggitt
Copy link
Member

liggitt commented Nov 1, 2021

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Nov 1, 2021
@liggitt liggitt moved this from In Review to Done (1.23, Beta) in SIG-Auth: PodSecurity Nov 1, 2021
@liggitt
Copy link
Member

liggitt commented Nov 1, 2021

/retest

@k8s-ci-robot k8s-ci-robot merged commit ac2d872 into kubernetes:master Nov 1, 2021
SIG Auth Old automation moved this from In Progress to Closed / Done Nov 1, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.23 milestone Nov 1, 2021
@stlaz stlaz deleted the ps_annotations branch November 2, 2021 08:10
@liggitt liggitt mentioned this pull request Nov 3, 2021
Closed
12 tasks
This was referenced Jan 31, 2022
Closed
Merged
@stlaz stlaz mentioned this pull request Apr 1, 2022
Closed
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tallclair tallclair tallclair approved these changes

@deads2k deads2k Awaiting requested review from deads2k

@liggitt liggitt Awaiting requested review from liggitt

Assignees

@tallclair tallclair

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
SIG Auth
Archived in project
SIG-Auth: PodSecurity
Done (1.23, Beta)
SIG Auth Old
Closed / Done
Milestone
v1.23
Development

Successfully merging this pull request may close these issues.

[PodSecurity] Extra audit annotations
4 participants
@stlaz @k8s-ci-robot @liggitt @tallclair