PodSecurityPolicy should respect and validate user-supplied RunAsNonR… #47073
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
@kubernetes/sig-auth-pr-reviews |
k8s-ci-robot
added
the
sig/auth
|
cc @pweil- |
| @@ -51,8 +51,13 @@ func (s *nonRoot) Validate(pod *api.Pod, container *api.Container) field.ErrorLi | |||
| allErrs = append(allErrs, field.Invalid(securityContextPath, container.SecurityContext, detail)) | |||
| return allErrs | |||
| } | |||
| if container.SecurityContext.RunAsNonRoot != nil && *container.SecurityContext.RunAsNonRoot == false { | |||
| detail := fmt.Sprintf("RunAsNonRoot is forbidden by the pod security policy for container %s", container.Name) | |||
There was a problem hiding this comment.
RunAsNonRoot=false is forbidden... you could set it to true if you wanted
There was a problem hiding this comment.
Ok, that message is backwards. Let me fix it for you :D
| @@ -165,7 +165,10 @@ func (s *simpleProvider) CreateContainerSecurityContext(pod *api.Pod, container | |||
| // if we're using the non-root strategy set the marker that this container should not be | |||
| // run as root which will signal to the kubelet to do a final check either on the runAsUser | |||
| // or, if runAsUser is not set, the image UID will be checked. | |||
| if s.psp.Spec.RunAsUser.Rule == extensions.RunAsUserStrategyMustRunAsNonRoot { | |||
| if sc.RunAsNonRoot != nil { | |||
There was a problem hiding this comment.
we only need to do something if sc.RunAsNonRoot == nil... the change in nonRoot#Validate() ensures a non-nil value is acceptable, so we don't need to overwrite it here (and the impl in this block is a no-op, anyway)
|
I'd like to see unit tests around both the Validate() and CreateContainerSecurityContext() changes |
k8s-github-robot
added
size/S
There was a problem hiding this comment.
+1 to this. IIRC the original behavior was a hold over from the time when the SCDeny plugin was used to prevent people from setting items in the SC so the system could always just DTRT.
Please make sure to add the scenario to the provider tests that do the pass/fail testing for the strategies.
k8s-github-robot
added
size/M
| createPod := func() *api.Pod { | ||
| return &api.Pod{ | ||
| Spec: api.PodSpec{ | ||
| Containers: []api.Container{{ | ||
| SecurityContext: &api.SecurityContext{}, | ||
| SecurityContext: &api.SecurityContext{RunAsNonRoot: &untrue}, |
There was a problem hiding this comment.
the point of this test is to make sure CreateContainerSecurityContext doesn't mutate a pod, so I'd want to leave it completely empty (no RunAsNonRoot set) to enable as many of the if ... == nil { ... } blocks as possible to run
| { | ||
| container: &api.Container{ | ||
| SecurityContext: &api.SecurityContext{ | ||
| RunAsNonRoot: &untrue, |
There was a problem hiding this comment.
and test that one with RunAsNonRoot: &true returns no error
Q-Lee
force-pushed
the
psp-run-as-non-root
branch
from
e2b2a34 to
158f17b
Compare
k8s-github-robot
added
size/L
|
@k8s-bot pull-kubernetes-e2e-gce-etcd3 test this |
Currently every change triggers full e2e. This is something we can fix with the magic of bazel! |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/assign @brendandburns @liggitt - the psp owners file is pretty sparse. |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Q-Lee, brendandburns, liggitt Associated issue: 47071 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-github-robot
added
the
approved
|
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
|
@Q-Lee: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
Automatic merge from submit-queue (batch tested with PRs 47073, 47457, 47479) |
What this PR does / why we need it: PodSecurityPolicies overwrite and then fail to validate the RunAsNonRoot field in the container security context.
Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close that issue when PR gets merged): fixes #47071Special notes for your reviewer: gce/gke don't use this in 1.6. You'll need to speak up if you think this is important enough to patch. It should almost certainly go into 1.7.
Release note: